GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-19 23:53:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000065 ST350041 rev.JC4B 465,76GB Running: vi4jye0d.exe; Driver: C:\Users\ja\AppData\Local\Temp\uglcyaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0xffffffff88b4e890} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0xffffffff88b4e590} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0xffffffff88b4e090} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\wininit.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\wininit.exe[524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000149ad0460 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000149ad0450 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000149ad0370 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000149ad0470 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 0000000149ad03e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000149ad0320 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 0000000149ad03b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000149ad0390 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 0000000149ad02e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 0000000149ad02d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000149ad0310 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 0000000149ad03c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 0000000149ad03f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000149ad0230 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0xffffffffd24fe890} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000149ad0480 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 0000000149ad03a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 0000000149ad02f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000149ad0350 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000149ad0290 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 0000000149ad02b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 0000000149ad03d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000149ad0330 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0xffffffffd24fe590} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000149ad0410 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000149ad0240 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 0000000149ad01e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000149ad0250 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0xffffffffd24fe090} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000149ad0490 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 0000000149ad04a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000149ad0300 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000149ad0360 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 0000000149ad02a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 0000000149ad02c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000149ad0380 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000149ad0340 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000149ad0440 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000149ad0260 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000149ad0270 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000149ad0400 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 0000000149ad01f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000149ad0210 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000149ad0200 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000149ad0420 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000149ad0430 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000149ad0220 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000149ad0280 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\services.exe[584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0xffffffff88a9e890} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0xffffffff88a9e590} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0xffffffff88a9e090} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\System32\svchost.exe[996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\System32\svchost.exe[240] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\svchost.exe[352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\Explorer.EXE[1640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\Explorer.EXE[1640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1636] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[544] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1928] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1928] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000749a1a22 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1928] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000749a1ad0 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1928] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000749a1b08 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1928] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000749a1bba 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1928] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000749a1bda 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075491465 2 bytes [49, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754914bb 2 bytes [49, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrB.exe[2060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrB.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000749a1a22 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000749a1ad0 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000749a1b08 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000749a1bba 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000749a1bda 2 bytes [9A, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2060] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075491465 2 bytes [49, 75] .text C:\Windows\SysWOW64\PnkBstrB.exe[2060] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000754914bb 2 bytes [49, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2096] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000100070460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000100070450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000100070370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000100070470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000001000703e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000100070320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000001000703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000100070390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000001000702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000001000702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000100070310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000001000703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000001000703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000100070230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0xffffffff88a9e890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000100070480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000001000703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000100070350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000001000703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000100070330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0xffffffff88a9e590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000100070410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000100070240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000001000701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000100070250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0xffffffff88a9e090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000100070490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000001000704a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000100070300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000100070360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000100070380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000100070340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000100070440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000100070260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000100070270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000100070400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000100070210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000100070200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000100070420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000100070430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000100070220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0xffffffff88a9e890} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0xffffffff88a9e590} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0xffffffff88a9e090} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775a3ae0 5 bytes JMP 000000010033075c .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775a7a90 5 bytes JMP 00000001003303a4 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000775d1490 5 bytes JMP 0000000100330b14 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000775d14f0 5 bytes JMP 0000000100330ecc .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 000000010033163c .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775d1810 5 bytes JMP 0000000100331284 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 00000001003319f4 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff086e00 5 bytes JMP 000007ff7f0a1dac .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff086f2c 5 bytes JMP 000007ff7f0a0ecc .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff087220 5 bytes JMP 000007ff7f0a1284 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff08739c 5 bytes JMP 000007ff7f0a163c .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff087538 5 bytes JMP 000007ff7f0a19f4 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0875e8 5 bytes JMP 000007ff7f0a03a4 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff08790c 5 bytes JMP 000007ff7f0a075c .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff087ab4 5 bytes JMP 000007ff7f0a0b14 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775a3ae0 5 bytes JMP 000000010022075c .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775a7a90 5 bytes JMP 00000001002203a4 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000775d1490 5 bytes JMP 0000000100220b14 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000775d14f0 5 bytes JMP 0000000100220ecc .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 000000010022163c .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775d1810 5 bytes JMP 0000000100221284 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 00000001002219f4 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff086e00 5 bytes JMP 000007ff7f0a1dac .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff086f2c 5 bytes JMP 000007ff7f0a0ecc .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff087220 5 bytes JMP 000007ff7f0a1284 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff08739c 5 bytes JMP 000007ff7f0a163c .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff087538 5 bytes JMP 000007ff7f0a19f4 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0875e8 5 bytes JMP 000007ff7f0a03a4 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff08790c 5 bytes JMP 000007ff7f0a075c .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff087ab4 5 bytes JMP 000007ff7f0a0b14 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000076ea8550 5 bytes JMP 000000010013075c .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 0000000076ead440 5 bytes JMP 0000000100131284 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076eaf874 5 bytes JMP 0000000100130ecc .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076eb4d4c 5 bytes JMP 00000001001303a4 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ec8c20 5 bytes JMP 0000000100130b14 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007777faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007777fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007777fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077780018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077781900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007779c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777a1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076301072 5 bytes JMP 00000001087bbbbb .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\KERNEL32.dll!CreateThread 00000000763034a5 5 bytes JMP 00000001087bb465 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!GetDC 00000000752272c4 5 bytes JMP 00000001087baca0 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!ReleaseDC 0000000075227446 5 bytes JMP 00000001087bad48 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075228a29 5 bytes JMP 00000001087bb813 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075228e4e 5 bytes JMP 00000001087bb69f .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007522ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!IsWindowVisible 000000007523112d 7 bytes JMP 00000001087bb8e5 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!GetCursorPos 0000000075231218 5 bytes JMP 00000001087bb195 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000075231361 5 bytes JMP 00000001087bac04 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!InvalidateRect 0000000075231381 5 bytes JMP 00000001087baf76 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!RedrawWindow 000000007523140b 5 bytes JMP 00000001087bb2fa .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!SetFocus 0000000075232175 5 bytes JMP 00000001087baec5 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075233982 3 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!UnhookWinEvent + 4 0000000075233986 1 byte [8B] .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!RegisterClassA 000000007523434b 5 bytes JMP 00000001087bb3b4 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!InvalidateRgn 0000000075236604 5 bytes JMP 00000001087bb02d .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075237603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007523835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!TrackPopupMenu 000000007524c288 5 bytes JMP 00000001087bbaf8 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007524cfca 5 bytes JMP 00000001087bb525 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!WindowFromPoint 000000007524ed12 5 bytes JMP 00000001087bb246 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!SetCapture 000000007524ed56 5 bytes JMP 00000001087bb0e4 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007524f170 5 bytes JMP 00000001087bb762 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007524f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Xfire\Xfire.exe[1432] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000752510dc 5 bytes JMP 00000001087bb5e2 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775a3ae0 5 bytes JMP 000000010044075c .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775a7a90 5 bytes JMP 00000001004403a4 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000775d1490 5 bytes JMP 0000000100440b14 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000775d14f0 5 bytes JMP 0000000100440ecc .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 000000010044163c .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775d1810 5 bytes JMP 0000000100441284 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 00000001004419f4 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff086e00 5 bytes JMP 000007ff7f0a1dac .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff086f2c 5 bytes JMP 000007ff7f0a0ecc .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff087220 5 bytes JMP 000007ff7f0a1284 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff08739c 5 bytes JMP 000007ff7f0a163c .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff087538 5 bytes JMP 000007ff7f0a19f4 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0875e8 5 bytes JMP 000007ff7f0a03a4 .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff08790c 5 bytes JMP 000007ff7f0a075c .text C:\Program Files (x86)\Xfire\xfire64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff087ab4 5 bytes JMP 000007ff7f0a0b14 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775a3ae0 5 bytes JMP 00000001003f075c .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775a7a90 5 bytes JMP 00000001003f03a4 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000775d1490 5 bytes JMP 00000001003f0b14 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000775d14f0 5 bytes JMP 00000001003f0ecc .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000001003f163c .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775d1810 5 bytes JMP 00000001003f1284 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 00000001003f19f4 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff086e00 5 bytes JMP 000007ff7f0a1dac .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff086f2c 5 bytes JMP 000007ff7f0a0ecc .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff087220 5 bytes JMP 000007ff7f0a1284 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff08739c 5 bytes JMP 000007ff7f0a163c .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff087538 5 bytes JMP 000007ff7f0a19f4 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0875e8 5 bytes JMP 000007ff7f0a03a4 .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff08790c 5 bytes JMP 000007ff7f0a075c .text C:\Program Files (x86)\Xfire\xfire64.exe[3152] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff087ab4 5 bytes JMP 000007ff7f0a0b14 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000077730460 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000077730450 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000077730370 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000077730470 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 00000000777303e0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000077730320 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000000777303b0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000077730390 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000777302e0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000777302d0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000077730310 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000000777303c0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000000777303f0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000077730230 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000077730480 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000000777303a0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000000777302f0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000077730350 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000077730290 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000777302b0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000000777303d0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000077730330 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000077730410 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000077730240 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000000777301e0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000077730250 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000077730490 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000000777304a0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000077730300 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000077730360 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000000777302a0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000777302c0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000077730380 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000077730340 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000077730440 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000077730260 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000077730270 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 0000000077730400 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000000777301f0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000077730210 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000077730200 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000077730420 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000077730430 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000077730220 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000077730280 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775a3ae0 5 bytes JMP 000000010041075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775a7a90 5 bytes JMP 00000001004103a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775d13c0 5 bytes JMP 0000000100060460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775d1410 5 bytes JMP 0000000100060450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000775d1490 5 bytes JMP 0000000100410b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000775d14f0 5 bytes JMP 0000000100410ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775d1570 5 bytes JMP 0000000100060370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775d15c0 5 bytes JMP 0000000100060470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775d15d0 5 bytes JMP 000000010041163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775d1680 5 bytes JMP 0000000100060320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 00000001000603b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775d16d0 5 bytes JMP 0000000100060390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000001000602e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000001000602d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775d17b0 5 bytes JMP 0000000100060310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775d17f0 5 bytes JMP 00000001000603c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775d1810 5 bytes JMP 0000000100411284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775d1840 5 bytes JMP 00000001000603f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775d19a0 1 byte JMP 0000000100060230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775d19a2 3 bytes {JMP 0xffffffff88a8e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775d1b60 5 bytes JMP 0000000100060480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775d1b90 5 bytes JMP 00000001000603a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775d1c70 5 bytes JMP 00000001000602f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775d1c80 5 bytes JMP 0000000100060350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000100060290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000001000602b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775d1d90 5 bytes JMP 00000001000603d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775d1da0 1 byte JMP 0000000100060330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000775d1da2 3 bytes {JMP 0xffffffff88a8e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775d1e10 5 bytes JMP 0000000100060410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775d1e40 5 bytes JMP 0000000100060240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775d2100 5 bytes JMP 00000001000601e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775d21c0 1 byte JMP 0000000100060250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775d21c2 3 bytes {JMP 0xffffffff88a8e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775d21f0 5 bytes JMP 0000000100060490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775d2200 5 bytes JMP 00000001000604a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775d2230 5 bytes JMP 0000000100060300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775d2240 5 bytes JMP 0000000100060360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 00000001000602a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000001000602c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775d2320 5 bytes JMP 0000000100060380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775d2330 5 bytes JMP 0000000100060340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775d2620 5 bytes JMP 0000000100060440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775d2820 5 bytes JMP 0000000100060260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775d2830 5 bytes JMP 0000000100060270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775d2840 5 bytes JMP 00000001004119f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775d2a00 5 bytes JMP 00000001000601f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775d2a10 5 bytes JMP 0000000100060210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775d2a80 5 bytes JMP 0000000100060200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775d2ae0 5 bytes JMP 0000000100060420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775d2af0 5 bytes JMP 0000000100060430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775d2b00 5 bytes JMP 0000000100060220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775d2be0 5 bytes JMP 0000000100060280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076ffee7d 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff086e00 5 bytes JMP 000007ff7f0a1dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff086f2c 5 bytes JMP 000007ff7f0a0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff087220 5 bytes JMP 000007ff7f0a1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff08739c 5 bytes JMP 000007ff7f0a163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff087538 5 bytes JMP 000007ff7f0a19f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0875e8 5 bytes JMP 000007ff7f0a03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff08790c 5 bytes JMP 000007ff7f0a075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3764] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff087ab4 5 bytes JMP 000007ff7f0a0b14 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007777faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007777fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007777fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077780018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077781900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007779c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777a1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007522ee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075233982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075237603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007523835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007524f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076d45181 5 bytes JMP 0000000100281014 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076d45254 5 bytes JMP 0000000100280804 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076d453d5 5 bytes JMP 0000000100280a08 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076d454c2 5 bytes JMP 0000000100280c0c .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076d455e2 5 bytes JMP 0000000100280e10 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076d4567c 5 bytes JMP 00000001002801f8 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076d4589f 5 bytes JMP 00000001002803fc .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076d45a22 5 bytes JMP 0000000100280600 .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075491465 2 bytes [49, 75] .text C:\Program Files (x86)\Gadu-Gadu 10\open-fm.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754914bb 2 bytes [49, 75] .text ... * 2 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007777faa0 5 bytes JMP 0000000100030600 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007777fb38 5 bytes JMP 0000000100030804 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007777fc90 5 bytes JMP 0000000100030c0c .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077780018 5 bytes JMP 0000000100030a08 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077781900 5 bytes JMP 0000000100030e10 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007779c45a 5 bytes JMP 00000001000301f8 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777a1217 5 bytes JMP 00000001000303fc .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\user32.DLL!SetWinEventHook 000000007522ee09 5 bytes JMP 00000001002501f8 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000075233982 5 bytes JMP 00000001002503fc .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075237603 5 bytes JMP 0000000100250804 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 000000007523835c 5 bytes JMP 0000000100250600 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 000000007524f52b 3 bytes JMP 0000000100250a08 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx + 4 000000007524f52f 1 byte [8B] .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076d45181 5 bytes JMP 0000000100271014 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076d45254 5 bytes JMP 0000000100270804 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076d453d5 5 bytes JMP 0000000100270a08 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076d454c2 5 bytes JMP 0000000100270c0c .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076d455e2 5 bytes JMP 0000000100270e10 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076d4567c 5 bytes JMP 00000001002701f8 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076d4589f 5 bytes JMP 00000001002703fc .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076d45a22 5 bytes JMP 0000000100270600 .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075491465 2 bytes [49, 75] .text C:\Users\ja\Downloads\OTL.exe[4560] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000754914bb 2 bytes [49, 75] .text ... * 2 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007777faa0 5 bytes JMP 0000000100030600 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007777fb38 5 bytes JMP 0000000100030804 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007777fc90 5 bytes JMP 0000000100030c0c .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077780018 5 bytes JMP 0000000100030a08 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077781900 5 bytes JMP 0000000100030e10 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007779c45a 5 bytes JMP 00000001000301f8 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777a1217 5 bytes JMP 00000001000303fc .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007632a2ea 1 byte [62] .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076d45181 5 bytes JMP 0000000100241014 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076d45254 5 bytes JMP 0000000100240804 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076d453d5 5 bytes JMP 0000000100240a08 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076d454c2 5 bytes JMP 0000000100240c0c .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076d455e2 5 bytes JMP 0000000100240e10 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076d4567c 5 bytes JMP 00000001002401f8 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076d4589f 5 bytes JMP 00000001002403fc .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076d45a22 5 bytes JMP 0000000100240600 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007522ee09 5 bytes JMP 00000001002501f8 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075233982 5 bytes JMP 00000001002503fc .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075237603 5 bytes JMP 0000000100250804 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007523835c 5 bytes JMP 0000000100250600 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007524f52b 3 bytes JMP 0000000100250a08 .text C:\Users\ja\Downloads\vi4jye0d.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx + 4 000000007524f52f 1 byte [8B] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:3864] 000007fefee10168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:3892] 000007fefbf72a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:3900] 000007fef21dd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:3096] 000007fef68d5124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 57 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1609649 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 57 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1609649 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3} 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming\.minecraft 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming\.minecraft\lastlogin 16 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3} 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming\.minecraft 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming\.minecraft\lastlogin 16 bytes ---- EOF - GMER 2.1 ----