GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-29 15:24:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006a ST350032 rev.SD15 465,76GB Running: imfw2j6u.exe; Driver: C:\Users\karol\AppData\Local\Temp\awddykod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0xffffffff8874e890} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0xffffffff8874e590} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0xffffffff8874e090} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 000000014a010460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 000000014a010450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 000000014a010370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 000000014a010470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 000000014a0103e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 000000014a010320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 000000014a0103b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 000000014a010390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 000000014a0102e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 000000014a0102d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 000000014a010310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 000000014a0103c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 000000014a0103f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 000000014a010230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0xffffffffd263e890} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 000000014a010480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 000000014a0103a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 000000014a0102f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 000000014a010350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 000000014a010290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 000000014a0102b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 000000014a0103d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 000000014a010330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0xffffffffd263e590} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 000000014a010410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 000000014a010240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 000000014a0101e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 000000014a010250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0xffffffffd263e090} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 000000014a010490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 000000014a0104a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 000000014a010300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 000000014a010360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 000000014a0102a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 000000014a0102c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 000000014a010380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 000000014a010340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 000000014a010440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 000000014a010260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 000000014a010270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 000000014a010400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 000000014a0101f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 000000014a010210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 000000014a010200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 000000014a010420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 000000014a010430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 000000014a010220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 000000014a010280 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0xffffffff8869e890} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0xffffffff8869e590} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0xffffffff8869e090} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\atiesrxx.exe[832] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\System32\svchost.exe[912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\System32\svchost.exe[952] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\svchost.exe[996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0xffffffff8869e890} .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0xffffffff8869e590} .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0xffffffff8869e090} .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\atieclxx.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0xffffffff8869e890} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0xffffffff8869e590} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0xffffffff8869e090} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1640] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1892] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000075521a22 2 bytes [52, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1892] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000075521ad0 2 bytes [52, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1892] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000075521b08 2 bytes [52, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1892] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000075521bba 2 bytes [52, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1892] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000075521bda 2 bytes [52, 75] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Windows\system32\svchost.exe[2044] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Users\karol\AppData\Local\majtuto4pc_pl_9\supmajt4pc_pl_9.exe[1400] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\taskhost.exe[1696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\Explorer.EXE[1820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\Explorer.EXE[1820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\System32\svchost.exe[2100] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Users\karol\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Windows\PixArt\PAC7302\Monitor.exe[2964] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000100270460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000100270450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000100270370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000100270470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 00000001002703e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000100270320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 00000001002703b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000100270390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 00000001002702e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 00000001002702d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000100270310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 00000001002703c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 00000001002703f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000100270230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0xffffffff8889e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000100270480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 00000001002703a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 00000001002702f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000100270350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000100270290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 00000001002702b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 00000001002703d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000100270330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0xffffffff8889e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000100270410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000100270240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 00000001002701e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000100270250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0xffffffff8889e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000100270490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 00000001002704a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000100270300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000100270360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 00000001002702a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 00000001002702c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000100270380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000100270340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000100270440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000100270260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000100270270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000100270400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 00000001002701f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000100270210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000100270200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000100270420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000100270430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000100270220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000100270280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2108] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3168] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779a3ae0 5 bytes JMP 000000010018075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779a7a90 5 bytes JMP 00000001001803a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 00000001002a0460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 00000001002a0450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000779d1490 5 bytes JMP 0000000100180b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779d14f0 5 bytes JMP 0000000100180ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 00000001002a0370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 00000001002a0470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 000000010018163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 00000001002a0320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 00000001002a03b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 00000001002a0390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 00000001002a02e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 00000001002a02d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 00000001002a0310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 00000001002a03c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779d1810 5 bytes JMP 0000000100181284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 00000001002a03f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 00000001002a0230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 00000001002a0480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 00000001002a03a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 00000001002a02f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 00000001002a0350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 00000001002a0290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 00000001002a02b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 00000001002a03d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 00000001002a0330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 00000001002a0410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 00000001002a0240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 00000001002a01e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 00000001002a0250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 00000001002a0490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 00000001002a04a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 00000001002a0300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 00000001002a0360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 00000001002a02a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 00000001002a02c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 00000001002a0380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 00000001002a0340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 00000001002a0440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 00000001002a0260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 00000001002a0270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 00000001001819f4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 00000001002a01f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 00000001002a0210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 00000001002a0200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 00000001002a0420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 00000001002a0430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 00000001002a0220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 00000001002a0280 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b7fab0 5 bytes JMP 0000000100030600 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b7fb48 5 bytes JMP 0000000100030804 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b7fca0 5 bytes JMP 0000000100030c0c .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b80028 5 bytes JMP 0000000100030a08 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b81910 5 bytes JMP 0000000100030e10 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b9c43a 5 bytes JMP 00000001000301f8 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ba11d7 5 bytes JMP 00000001000303fc .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007573ee09 5 bytes JMP 00000001002501f8 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075743982 5 bytes JMP 00000001002503fc .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075747603 5 bytes JMP 0000000100250804 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007574835c 5 bytes JMP 0000000100250600 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007575f52b 5 bytes JMP 0000000100250a08 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076615181 5 bytes JMP 0000000100271014 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076615254 5 bytes JMP 0000000100270804 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766153d5 5 bytes JMP 0000000100270a08 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766154c2 5 bytes JMP 0000000100270c0c .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766155e2 5 bytes JMP 0000000100270e10 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007661567c 5 bytes JMP 00000001002701f8 .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007661589f 5 bytes JMP 00000001002703fc .text C:\Users\karol\AppData\Roaming\TorrentStream\updater\tsupdate.exe[5044] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076615a22 5 bytes JMP 0000000100270600 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779a3ae0 5 bytes JMP 000000010018075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779a7a90 5 bytes JMP 00000001001803a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000779d1490 5 bytes JMP 0000000100180b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779d14f0 5 bytes JMP 0000000100180ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 000000010018163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779d1810 5 bytes JMP 0000000100181284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 00000001001819f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdea6e00 5 bytes JMP 000007ff7dec1dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdea6f2c 5 bytes JMP 000007ff7dec0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdea7220 5 bytes JMP 000007ff7dec1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdea739c 5 bytes JMP 000007ff7dec163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdea7538 5 bytes JMP 000007ff7dec19f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdea75e8 5 bytes JMP 000007ff7dec03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdea790c 5 bytes JMP 000007ff7dec075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4424] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdea7ab4 5 bytes JMP 000007ff7dec0b14 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779d13c0 5 bytes JMP 0000000077b30460 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779d1410 5 bytes JMP 0000000077b30450 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779d1570 5 bytes JMP 0000000077b30370 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779d15c0 5 bytes JMP 0000000077b30470 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779d15d0 5 bytes JMP 0000000077b303e0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779d1680 5 bytes JMP 0000000077b30320 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d16b0 5 bytes JMP 0000000077b303b0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779d16d0 5 bytes JMP 0000000077b30390 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779d1710 5 bytes JMP 0000000077b302e0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779d1790 5 bytes JMP 0000000077b302d0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779d17b0 5 bytes JMP 0000000077b30310 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779d17f0 5 bytes JMP 0000000077b303c0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779d1840 5 bytes JMP 0000000077b303f0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779d19a0 1 byte JMP 0000000077b30230 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779d1b60 5 bytes JMP 0000000077b30480 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779d1b90 5 bytes JMP 0000000077b303a0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779d1c70 5 bytes JMP 0000000077b302f0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779d1c80 5 bytes JMP 0000000077b30350 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779d1ce0 5 bytes JMP 0000000077b30290 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779d1d70 5 bytes JMP 0000000077b302b0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779d1d90 5 bytes JMP 0000000077b303d0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779d1da0 1 byte JMP 0000000077b30330 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779d1e10 5 bytes JMP 0000000077b30410 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779d1e40 5 bytes JMP 0000000077b30240 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779d2100 5 bytes JMP 0000000077b301e0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779d21c0 1 byte JMP 0000000077b30250 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779d21f0 5 bytes JMP 0000000077b30490 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779d2200 5 bytes JMP 0000000077b304a0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779d2230 5 bytes JMP 0000000077b30300 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779d2240 5 bytes JMP 0000000077b30360 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779d22a0 5 bytes JMP 0000000077b302a0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779d22f0 5 bytes JMP 0000000077b302c0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779d2320 5 bytes JMP 0000000077b30380 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779d2330 5 bytes JMP 0000000077b30340 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779d2620 5 bytes JMP 0000000077b30440 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779d2820 5 bytes JMP 0000000077b30260 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779d2830 5 bytes JMP 0000000077b30270 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779d2840 5 bytes JMP 0000000077b30400 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779d2a00 5 bytes JMP 0000000077b301f0 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779d2a10 5 bytes JMP 0000000077b30210 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779d2a80 5 bytes JMP 0000000077b30200 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779d2ae0 5 bytes JMP 0000000077b30420 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779d2af0 5 bytes JMP 0000000077b30430 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779d2b00 5 bytes JMP 0000000077b30220 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779d2be0 5 bytes JMP 0000000077b30280 .text C:\Windows\system32\AUDIODG.EXE[5008] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000777beecd 1 byte [62] .text C:\Users\karol\Desktop\Gmer\imfw2j6u.exe[4460] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c1a322 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1108:2080] 000007fef97083d8 Thread C:\Windows\system32\svchost.exe [1108:2084] 000007fef97083d8 Thread C:\Windows\system32\svchost.exe [1108:2088] 000007fef97083d8 Thread C:\Windows\system32\svchost.exe [1108:2092] 000007fef97083d8 Thread C:\Windows\system32\svchost.exe [1108:2404] 000007fef72c3f1c Thread C:\Windows\system32\svchost.exe [1108:2408] 000007fef7291a38 Thread C:\Windows\system32\svchost.exe [1108:2412] 000007fef7285388 Thread C:\Windows\system32\svchost.exe [1108:2416] 000007fef7267738 Thread C:\Windows\system32\svchost.exe [1108:2420] 000007fef7251f90 Thread C:\Windows\system32\svchost.exe [1108:2428] 000007fef7b05170 Thread C:\Windows\System32\svchost.exe [2100:4660] 000007feec3aed7c Thread C:\Windows\System32\svchost.exe [2100:4740] 000007feecb09688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 13 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 40039 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 13 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 40039 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----