GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-22 20:09:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC38 465,76GB Running: 1s2yhxwz.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\kgldipoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 000000014a570460 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 000000014a570450 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 000000014a570370 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 000000014a570470 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 000000014a5703e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 000000014a570320 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 000000014a5703b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 000000014a570390 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 000000014a5702e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 000000014a5702d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 000000014a570310 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 000000014a5703c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 000000014a5703f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 000000014a570230 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0xffffffffd2c9e890} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 000000014a570480 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 000000014a5703a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 000000014a5702f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 000000014a570350 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 000000014a570290 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 000000014a5702b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 000000014a5703d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 000000014a570330 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0xffffffffd2c9e590} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 000000014a570410 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 000000014a570240 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 000000014a5701e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 000000014a570250 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0xffffffffd2c9e090} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 000000014a570490 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 000000014a5704a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 000000014a570300 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 000000014a570360 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 000000014a5702a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 000000014a5702c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 000000014a570380 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 000000014a570340 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 000000014a570440 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 000000014a570260 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 000000014a570270 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 000000014a570400 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 000000014a5701f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 000000014a570210 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 000000014a570200 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 000000014a570420 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 000000014a570430 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 000000014a570220 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 000000014a570280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 000000014a570460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 000000014a570450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 000000014a570370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 000000014a570470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 000000014a5703e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 000000014a570320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 000000014a5703b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 000000014a570390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 000000014a5702e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 000000014a5702d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 000000014a570310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 000000014a5703c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 000000014a5703f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 000000014a570230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0xffffffffd2c9e890} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 000000014a570480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 000000014a5703a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 000000014a5702f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 000000014a570350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 000000014a570290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 000000014a5702b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 000000014a5703d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 000000014a570330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0xffffffffd2c9e590} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 000000014a570410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 000000014a570240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 000000014a5701e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 000000014a570250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0xffffffffd2c9e090} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 000000014a570490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 000000014a5704a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 000000014a570300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 000000014a570360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 000000014a5702a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 000000014a5702c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 000000014a570380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 000000014a570340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 000000014a570440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 000000014a570260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 000000014a570270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 000000014a570400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 000000014a5701f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 000000014a570210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 000000014a570200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 000000014a570420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 000000014a570430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 000000014a570220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 000000014a570280 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\services.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\atiesrxx.exe[884] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0xffffffff8879e890} .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0xffffffff8879e590} .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0xffffffff8879e090} .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[356] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d4a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\Dwm.exe[1660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\Explorer.EXE[1676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778a3ae0 5 bytes JMP 000000010028075c .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778a7a90 5 bytes JMP 00000001002803a4 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778d1490 5 bytes JMP 0000000100280b14 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778d14f0 5 bytes JMP 0000000100280ecc .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 000000010028163c .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778d1810 5 bytes JMP 0000000100281284 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 00000001002819f4 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe966e00 5 bytes JMP 000007ff7e981dac .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe966f2c 5 bytes JMP 000007ff7e980ecc .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe967220 5 bytes JMP 000007ff7e981284 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe96739c 5 bytes JMP 000007ff7e98163c .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe967538 5 bytes JMP 000007ff7e9819f4 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9675e8 5 bytes JMP 000007ff7e9803a4 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe96790c 5 bytes JMP 000007ff7e98075c .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe967ab4 5 bytes JMP 000007ff7e980b14 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe966e00 5 bytes JMP 000007ff7e981dac .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe966f2c 5 bytes JMP 000007ff7e980ecc .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe967220 5 bytes JMP 000007ff7e981284 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe96739c 5 bytes JMP 000007ff7e98163c .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe967538 5 bytes JMP 000007ff7e9819f4 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9675e8 5 bytes JMP 000007ff7e9803a4 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe96790c 5 bytes JMP 000007ff7e98075c .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe967ab4 5 bytes JMP 000007ff7e980b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2684] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d4a30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778a3ae0 5 bytes JMP 000000010042075c .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778a7a90 5 bytes JMP 00000001004203a4 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778d1490 5 bytes JMP 0000000100420b14 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778d14f0 5 bytes JMP 0000000100420ecc .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 000000010042163c .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778d1810 5 bytes JMP 0000000100421284 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0xffffffff8879e890} .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0xffffffff8879e590} .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0xffffffff8879e090} .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 00000001004219f4 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe966e00 5 bytes JMP 000007ff7e981dac .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe966f2c 5 bytes JMP 000007ff7e980ecc .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe967220 5 bytes JMP 000007ff7e981284 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe96739c 5 bytes JMP 000007ff7e98163c .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe967538 5 bytes JMP 000007ff7e9819f4 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9675e8 5 bytes JMP 000007ff7e9803a4 .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe96790c 5 bytes JMP 000007ff7e98075c .text C:\Windows\system32\SearchIndexer.exe[2948] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe967ab4 5 bytes JMP 000007ff7e980b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3028] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778a3ae0 5 bytes JMP 000000010026075c .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778a7a90 5 bytes JMP 00000001002603a4 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778d1490 5 bytes JMP 0000000100260b14 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778d14f0 5 bytes JMP 0000000100260ecc .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 000000010026163c .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778d1810 5 bytes JMP 0000000100261284 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 00000001002619f4 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe966e00 5 bytes JMP 000007ff7e981dac .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe966f2c 5 bytes JMP 000007ff7e980ecc .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe967220 5 bytes JMP 000007ff7e981284 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe96739c 5 bytes JMP 000007ff7e98163c .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe967538 5 bytes JMP 000007ff7e9819f4 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9675e8 5 bytes JMP 000007ff7e9803a4 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe96790c 5 bytes JMP 000007ff7e98075c .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe967ab4 5 bytes JMP 000007ff7e980b14 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778a3ae0 5 bytes JMP 000000010024075c .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778a7a90 5 bytes JMP 00000001002403a4 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778d1490 5 bytes JMP 0000000100240b14 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778d14f0 5 bytes JMP 0000000100240ecc .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 000000010024163c .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778d1810 5 bytes JMP 0000000100241284 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 00000001002419f4 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe966e00 5 bytes JMP 000007ff7e981dac .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe966f2c 5 bytes JMP 000007ff7e980ecc .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe967220 5 bytes JMP 000007ff7e981284 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe96739c 5 bytes JMP 000007ff7e98163c .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe967538 5 bytes JMP 000007ff7e9819f4 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9675e8 5 bytes JMP 000007ff7e9803a4 .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe96790c 5 bytes JMP 000007ff7e98075c .text C:\Windows\system32\wuauclt.exe[3552] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe967ab4 5 bytes JMP 000007ff7e980b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778a3ae0 5 bytes JMP 000000010037075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778a7a90 5 bytes JMP 00000001003703a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d13c0 5 bytes JMP 0000000077a30460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d1410 5 bytes JMP 0000000077a30450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778d1490 5 bytes JMP 0000000100370b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778d14f0 5 bytes JMP 0000000100370ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1570 5 bytes JMP 0000000077a30370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d15c0 5 bytes JMP 0000000077a30470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d15d0 5 bytes JMP 000000010037163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1680 5 bytes JMP 0000000077a30320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d16b0 5 bytes JMP 0000000077a303b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d16d0 5 bytes JMP 0000000077a30390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d17f0 5 bytes JMP 0000000077a303c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778d1810 5 bytes JMP 0000000100371284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d1840 5 bytes JMP 0000000077a303f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d19a0 1 byte JMP 0000000077a30230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778d19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b60 5 bytes JMP 0000000077a30480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b90 5 bytes JMP 0000000077a303a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d90 5 bytes JMP 0000000077a303d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1da0 1 byte JMP 0000000077a30330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778d1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1e10 5 bytes JMP 0000000077a30410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d21c0 1 byte JMP 0000000077a30250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778d21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d21f0 5 bytes JMP 0000000077a30490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d2200 5 bytes JMP 0000000077a304a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d2230 5 bytes JMP 0000000077a30300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d2240 5 bytes JMP 0000000077a30360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d2320 5 bytes JMP 0000000077a30380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d2330 5 bytes JMP 0000000077a30340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d2620 5 bytes JMP 0000000077a30440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d2820 5 bytes JMP 0000000077a30260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d2830 5 bytes JMP 0000000077a30270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d2840 5 bytes JMP 00000001003719f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2ae0 5 bytes JMP 0000000077a30420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2af0 5 bytes JMP 0000000077a30430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007745eecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe966e00 5 bytes JMP 000007ff7e981dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe966f2c 5 bytes JMP 000007ff7e980ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe967220 5 bytes JMP 000007ff7e981284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe96739c 5 bytes JMP 000007ff7e98163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe967538 5 bytes JMP 000007ff7e9819f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9675e8 5 bytes JMP 000007ff7e9803a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe96790c 5 bytes JMP 000007ff7e98075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3220] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe967ab4 5 bytes JMP 000007ff7e980b14 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a7faa0 5 bytes JMP 0000000100030600 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a7fb38 5 bytes JMP 0000000100030804 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a80018 5 bytes JMP 0000000100030a08 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a81900 5 bytes JMP 0000000100030e10 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a9c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077aa1217 5 bytes JMP 00000001000303fc .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076d4a30a 1 byte [62] .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000752a5181 5 bytes JMP 00000001001d1014 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000752a5254 5 bytes JMP 00000001001d0804 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000752a53d5 5 bytes JMP 00000001001d0a08 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000752a54c2 5 bytes JMP 00000001001d0c0c .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000752a55e2 5 bytes JMP 00000001001d0e10 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000752a567c 5 bytes JMP 00000001001d01f8 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000752a589f 5 bytes JMP 00000001001d03fc .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000752a5a22 5 bytes JMP 00000001001d0600 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751bee09 5 bytes JMP 00000001001e01f8 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751c3982 5 bytes JMP 00000001001e03fc .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751c7603 5 bytes JMP 00000001001e0804 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751c835c 5 bytes JMP 00000001001e0600 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751df52b 3 bytes JMP 00000001001e0a08 .text C:\Users\Tomek\Desktop\1s2yhxwz.exe[2860] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx + 4 00000000751df52f 1 byte [8B] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3028:2872] 000007fefea00168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3028:2712] 000007fefc222a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3028:2896] 000007fef9805124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3028:3292] 000007fefea00168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3028:3932] 000007fefea00168 Thread C:\Windows\System32\svchost.exe [2456:1204] 000007fef50f9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 33510 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 10 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 33510 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----