GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-16 10:51:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000062 SAMSUNG_ rev.1AC0 232,89GB Running: sdgwxpdu.exe; Driver: C:\Users\OEM\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000149e90460 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000149e90450 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000149e90370 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000149e90470 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 0000000149e903e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000149e90320 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 0000000149e903b0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000149e90390 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 0000000149e902e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 0000000149e902d0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000149e90310 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 0000000149e903c0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 0000000149e903f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000149e90230 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000149e90480 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 0000000149e903a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 0000000149e902f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000149e90350 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000149e90290 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 0000000149e902b0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 0000000149e903d0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000149e90330 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000149e90410 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000149e90240 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 0000000149e901e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000149e90250 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000149e90490 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 0000000149e904a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000149e90300 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000149e90360 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 0000000149e902a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 0000000149e902c0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000149e90380 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000149e90340 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000149e90440 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000149e90260 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000149e90270 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000149e90400 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 0000000149e901f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000149e90210 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000149e90200 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000149e90420 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000149e90430 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000149e90220 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000149e90280 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\wininit.exe[496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000149e90460 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000149e90450 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000149e90370 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000149e90470 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 0000000149e903e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000149e90320 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 0000000149e903b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000149e90390 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 0000000149e902e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 0000000149e902d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000149e90310 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 0000000149e903c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 0000000149e903f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000149e90230 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000149e90480 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 0000000149e903a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 0000000149e902f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000149e90350 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000149e90290 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 0000000149e902b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 0000000149e903d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000149e90330 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000149e90410 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000149e90240 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 0000000149e901e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000149e90250 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000149e90490 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 0000000149e904a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000149e90300 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000149e90360 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 0000000149e902a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 0000000149e902c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000149e90380 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000149e90340 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000149e90440 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000149e90260 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000149e90270 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000149e90400 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 0000000149e901f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000149e90210 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000149e90200 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000149e90420 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000149e90430 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000149e90220 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000149e90280 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000100060460 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000100060450 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000100060370 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000100060470 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000100060320 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000100060390 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000100060310 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000100060230 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000100060480 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000100060350 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000100060290 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000100060330 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000100060410 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000100060240 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000100060250 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000100060490 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000100060300 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000100060360 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000100060380 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000100060340 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000100060440 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000100060260 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000100060270 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000100060210 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000100060200 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000100060420 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000100060430 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000100060220 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000100060280 .text C:\Windows\system32\nvvsvc.exe[832] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[856] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\System32\svchost.exe[328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000100070460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000100070450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000100070370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000100070470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001000703e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000100070320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001000703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000100070390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001000702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000100070310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001000703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000100070230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000100070480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000100070350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000100070290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000100070330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000100070410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000100070240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000100070250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000100070490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000100070300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000100070360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001000702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001000702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000100070380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000100070340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000100070440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000100070260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000100070270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000100070400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000100070210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000100070200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000100070420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000100070430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1956] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000100060460 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000100060450 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000100060370 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000100060470 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000100060320 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000100060390 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000100060310 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000100060230 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000100060480 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000100060350 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000100060290 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000100060330 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000100060410 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000100060240 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000100060250 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000100060490 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000100060300 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000100060360 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000100060380 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000100060340 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000100060440 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000100060260 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000100060270 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000100060210 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000100060200 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000100060420 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000100060430 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000100060220 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000100060280 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\Dwm.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\Explorer.EXE[2080] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2120] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2120] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000749c1465 2 bytes [9C, 74] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2120] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000749c14bb 2 bytes [9C, 74] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2276] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2376] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2376] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074661a22 2 bytes [66, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2376] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074661ad0 2 bytes [66, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2376] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074661b08 2 bytes [66, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2376] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074661bba 2 bytes [66, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2376] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074661bda 2 bytes [66, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000749c1465 2 bytes [9C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000749c14bb 2 bytes [9C, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[2440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\rundll32.exe[2564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2960] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2128] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2268] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074ac87b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2268] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Program Files (x86)\Daemon Tools Pro\DTShellHlp.exe[2844] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\SearchIndexer.exe[1236] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\conhost.exe[3500] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\SearchProtocolHost.exe[3600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\svchost.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Users\OEM\Desktop\GMER\sdgwxpdu.exe[3484] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074aea30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3112:3320] 000007fefb9e2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3112:3328] 000007fef103d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3112:3916] 000007fef0fd9730 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3112:3200] 000007fef8845124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3112:3084] 000007fef103d618 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE (*** suspicious ***) @ C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE [1316] (EPSON Status Monitor 3/SEIKO EPSON CORPORATION)(2012-12-22 12:19:58) 0000000100000000 Process C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE (*** suspicious ***) @ C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE [1320] (EPSON Status Monitor 3/SEIKO EPSON CORPORATION)(2012-12-22 12:19:58) 0000000100000000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2080] (GG drive overlay/GG Network S.A.)(2013-01-23 13:08:43) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\explorer.exe [3948] (GG drive overlay/GG Network S.A.)(2013-01-23 13:08:43) 000000005c080000 ---- EOF - GMER 2.1 ----