GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-22 13:28:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC38 465,76GB Running: 1s2yhxwz.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\kgldipoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 000000014a100460 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 000000014a100450 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 000000014a100370 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 000000014a100470 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 000000014a1003e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 000000014a100320 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 000000014a1003b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 000000014a100390 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 000000014a1002e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 000000014a1002d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 000000014a100310 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 000000014a1003c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 000000014a1003f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 000000014a100230 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0xffffffffd338e890} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 000000014a100480 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 000000014a1003a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 000000014a1002f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 000000014a100350 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 000000014a100290 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 000000014a1002b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 000000014a1003d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 000000014a100330 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0xffffffffd338e590} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 000000014a100410 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 000000014a100240 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 000000014a1001e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 000000014a100250 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0xffffffffd338e090} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 000000014a100490 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 000000014a1004a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 000000014a100300 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 000000014a100360 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 000000014a1002a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 000000014a1002c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 000000014a100380 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 000000014a100340 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 000000014a100440 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 000000014a100260 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 000000014a100270 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 000000014a100400 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 000000014a1001f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 000000014a100210 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 000000014a100200 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 000000014a100420 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 000000014a100430 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 000000014a100220 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 000000014a100280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 000000014a100460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 000000014a100450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 000000014a100370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 000000014a100470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 000000014a1003e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 000000014a100320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 000000014a1003b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 000000014a100390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 000000014a1002e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 000000014a1002d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 000000014a100310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 000000014a1003c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 000000014a1003f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 000000014a100230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0xffffffffd338e890} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 000000014a100480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 000000014a1003a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 000000014a1002f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 000000014a100350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 000000014a100290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 000000014a1002b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 000000014a1003d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 000000014a100330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0xffffffffd338e590} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 000000014a100410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 000000014a100240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 000000014a1001e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 000000014a100250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0xffffffffd338e090} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 000000014a100490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 000000014a1004a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 000000014a100300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 000000014a100360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 000000014a1002a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 000000014a1002c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 000000014a100380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 000000014a100340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 000000014a100440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 000000014a100260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 000000014a100270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 000000014a100400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 000000014a1001f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 000000014a100210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 000000014a100200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 000000014a100420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 000000014a100430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 000000014a100220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 000000014a100280 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\svchost.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\System32\svchost.exe[952] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0xffffffff892fe890} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0xffffffff892fe590} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0xffffffff892fe090} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[372] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007590a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\Dwm.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\Explorer.EXE[1356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\Explorer.EXE[1356] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000100060460 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000100060450 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000100060370 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000100060470 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000100060320 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000100060390 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000100060310 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000100060230 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0xffffffff892ee890} .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000100060480 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000100060350 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000100060290 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000100060330 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0xffffffff892ee590} .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000100060410 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000100060240 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000100060250 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0xffffffff892ee090} .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000100060490 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000100060300 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000100060360 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000100060380 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000100060340 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000100060440 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000100060260 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000100060270 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000100060400 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000100060210 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000100060200 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000100060420 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000100060430 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000100060220 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000100060280 .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\atieclxx.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0xffffffff892fe890} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0xffffffff892fe590} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0xffffffff892fe090} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 0000000076ed03e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 0000000076ed0400 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2168] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007590a30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d43ae0 5 bytes JMP 000000010019075c .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d47a90 5 bytes JMP 00000001001903a4 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d71490 5 bytes JMP 0000000100190b14 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d714f0 5 bytes JMP 0000000100190ecc .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 000000010019163c .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d71810 5 bytes JMP 0000000100191284 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 00000001001919f4 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd736e00 5 bytes JMP 000007ff7d751dac .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd736f2c 5 bytes JMP 000007ff7d750ecc .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd737220 5 bytes JMP 000007ff7d751284 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd73739c 5 bytes JMP 000007ff7d75163c .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd737538 5 bytes JMP 000007ff7d7519f4 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7375e8 5 bytes JMP 000007ff7d7503a4 .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd73790c 5 bytes JMP 000007ff7d75075c .text C:\Windows\system32\SearchIndexer.exe[2836] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd737ab4 5 bytes JMP 000007ff7d750b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2956] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d43ae0 5 bytes JMP 00000001002a075c .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d47a90 5 bytes JMP 00000001002a03a4 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d713c0 5 bytes JMP 0000000076ed0460 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d71410 5 bytes JMP 0000000076ed0450 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d71490 5 bytes JMP 00000001002a0b14 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d714f0 5 bytes JMP 00000001002a0ecc .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d71570 5 bytes JMP 0000000076ed0370 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d715c0 5 bytes JMP 0000000076ed0470 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 00000001002a163c .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d71680 5 bytes JMP 0000000076ed0320 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d716b0 5 bytes JMP 0000000076ed03b0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d716d0 5 bytes JMP 0000000076ed0390 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d71710 5 bytes JMP 0000000076ed02e0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d71790 5 bytes JMP 0000000076ed02d0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d717b0 5 bytes JMP 0000000076ed0310 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d717f0 5 bytes JMP 0000000076ed03c0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d71810 5 bytes JMP 00000001002a1284 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d71840 5 bytes JMP 0000000076ed03f0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d719a0 1 byte JMP 0000000076ed0230 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d71b60 5 bytes JMP 0000000076ed0480 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d71b90 5 bytes JMP 0000000076ed03a0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d71c70 5 bytes JMP 0000000076ed02f0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d71c80 5 bytes JMP 0000000076ed0350 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d71ce0 5 bytes JMP 0000000076ed0290 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d71d70 5 bytes JMP 0000000076ed02b0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d71d90 5 bytes JMP 0000000076ed03d0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d71da0 1 byte JMP 0000000076ed0330 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d71e10 5 bytes JMP 0000000076ed0410 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d71e40 5 bytes JMP 0000000076ed0240 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d72100 5 bytes JMP 0000000076ed01e0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d721c0 1 byte JMP 0000000076ed0250 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d721f0 5 bytes JMP 0000000076ed0490 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d72200 5 bytes JMP 0000000076ed04a0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d72230 5 bytes JMP 0000000076ed0300 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d72240 5 bytes JMP 0000000076ed0360 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d722a0 5 bytes JMP 0000000076ed02a0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d722f0 5 bytes JMP 0000000076ed02c0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d72320 5 bytes JMP 0000000076ed0380 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d72330 5 bytes JMP 0000000076ed0340 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d72620 5 bytes JMP 0000000076ed0440 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d72820 5 bytes JMP 0000000076ed0260 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d72830 5 bytes JMP 0000000076ed0270 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 00000001002a19f4 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d72a00 5 bytes JMP 0000000076ed01f0 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d72a10 5 bytes JMP 0000000076ed0210 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d72a80 5 bytes JMP 0000000076ed0200 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d72ae0 5 bytes JMP 0000000076ed0420 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d72af0 5 bytes JMP 0000000076ed0430 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d72b00 5 bytes JMP 0000000076ed0220 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d72be0 5 bytes JMP 0000000076ed0280 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd736e00 5 bytes JMP 000007ff7d751dac .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd736f2c 5 bytes JMP 000007ff7d750ecc .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd737220 5 bytes JMP 000007ff7d751284 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd73739c 5 bytes JMP 000007ff7d75163c .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd737538 5 bytes JMP 000007ff7d7519f4 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7375e8 5 bytes JMP 000007ff7d7503a4 .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd73790c 5 bytes JMP 000007ff7d75075c .text C:\Windows\System32\svchost.exe[2028] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd737ab4 5 bytes JMP 000007ff7d750b14 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f1faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f1fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f1fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f20018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f21900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f3c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f41217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007590a30a 1 byte [62] .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007485ee09 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074863982 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074867603 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007486835c 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007487f52b 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076305181 5 bytes JMP 0000000100181014 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076305254 5 bytes JMP 0000000100180804 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763053d5 5 bytes JMP 0000000100180a08 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763054c2 5 bytes JMP 0000000100180c0c .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763055e2 5 bytes JMP 0000000100180e10 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007630567c 5 bytes JMP 00000001001801f8 .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007630589f 5 bytes JMP 00000001001803fc .text C:\Program Files (x86)\Audacity\audacity.exe[3292] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076305a22 5 bytes JMP 0000000100180600 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f1faa0 5 bytes JMP 0000000100030600 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f1fb38 5 bytes JMP 0000000100030804 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f1fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f20018 5 bytes JMP 0000000100030a08 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f21900 5 bytes JMP 0000000100030e10 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f3c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f41217 5 bytes JMP 00000001000303fc .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007590a30a 1 byte [62] .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\syswow64\user32.DLL!SetWinEventHook 000000007485ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000074863982 5 bytes JMP 00000001002503fc .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000074867603 5 bytes JMP 0000000100250804 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 000000007486835c 5 bytes JMP 0000000100250600 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 000000007487f52b 5 bytes JMP 0000000100250a08 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076305181 5 bytes JMP 0000000100271014 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076305254 5 bytes JMP 0000000100270804 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763053d5 5 bytes JMP 0000000100270a08 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763054c2 5 bytes JMP 0000000100270c0c .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763055e2 5 bytes JMP 0000000100270e10 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007630567c 5 bytes JMP 00000001002701f8 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007630589f 5 bytes JMP 00000001002703fc .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076305a22 5 bytes JMP 0000000100270600 .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Users\Tomek\Desktop\OTL.exe[3440] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d43ae0 5 bytes JMP 000000010026075c .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d47a90 5 bytes JMP 00000001002603a4 .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d71490 5 bytes JMP 0000000100260b14 .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d714f0 5 bytes JMP 0000000100260ecc .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d715d0 5 bytes JMP 000000010026163c .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d71810 5 bytes JMP 0000000100261284 .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d72840 5 bytes JMP 00000001002619f4 .text C:\Windows\notepad.exe[736] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007669eecd 1 byte [62] .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd736e00 5 bytes JMP 000007ff7d751dac .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd736f2c 5 bytes JMP 000007ff7d750ecc .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd737220 5 bytes JMP 000007ff7d751284 .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd73739c 5 bytes JMP 000007ff7d75163c .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd737538 5 bytes JMP 000007ff7d7519f4 .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7375e8 5 bytes JMP 000007ff7d7503a4 .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd73790c 5 bytes JMP 000007ff7d75075c .text C:\Windows\notepad.exe[736] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd737ab4 5 bytes JMP 000007ff7d750b14 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f1faa0 5 bytes JMP 0000000100030600 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f1fb38 5 bytes JMP 0000000100030804 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f1fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f20018 5 bytes JMP 0000000100030a08 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f21900 5 bytes JMP 0000000100030e10 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f3c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f41217 5 bytes JMP 00000001000303fc .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007590a30a 1 byte [62] .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076305181 5 bytes JMP 0000000100241014 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076305254 5 bytes JMP 0000000100240804 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763053d5 5 bytes JMP 0000000100240a08 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763054c2 5 bytes JMP 0000000100240c0c .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763055e2 5 bytes JMP 0000000100240e10 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007630567c 5 bytes JMP 00000001002401f8 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007630589f 5 bytes JMP 00000001002403fc .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076305a22 5 bytes JMP 0000000100240600 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007485ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074863982 5 bytes JMP 00000001002503fc .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074867603 5 bytes JMP 0000000100250804 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007486835c 5 bytes JMP 0000000100250600 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2112] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007487f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2956:916] 000007fefdb20168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2956:2780] 000007fefb6c2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2956:2620] 000007fef8815124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2956:3792] 000007fefdb20168 Thread C:\Windows\System32\svchost.exe [2028:2880] 000007fef31e9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 18658 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 9 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 18658 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----