GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-04 20:45:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AZRX-00A8LB0 rev.01.01A01 465,76GB Running: nudjzdsu.exe; Driver: C:\Users\User\AppData\Local\Temp\awlcaaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002dfa000 46 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002dfa02f 18 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000149f50460 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000149f50450 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000149f50370 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000149f50470 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 0000000149f503e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000149f50320 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 0000000149f503b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000149f50390 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 0000000149f502e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 0000000149f502d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000149f50310 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 0000000149f503c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 0000000149f503f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000149f50230 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000149f50480 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 0000000149f503a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 0000000149f502f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000149f50350 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000149f50290 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 0000000149f502b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 0000000149f503d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000149f50330 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000149f50410 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000149f50240 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 0000000149f501e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000149f50250 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000149f50490 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 0000000149f504a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000149f50300 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000149f50360 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 0000000149f502a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 0000000149f502c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000149f50380 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000149f50340 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000149f50440 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000149f50260 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000149f50270 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000149f50400 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 0000000149f501f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000149f50210 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000149f50200 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000149f50420 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000149f50430 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000149f50220 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000149f50280 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000149f50460 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000149f50450 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000149f50370 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000149f50470 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 0000000149f503e0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000149f50320 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 0000000149f503b0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000149f50390 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 0000000149f502e0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 0000000149f502d0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000149f50310 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 0000000149f503c0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 0000000149f503f0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000149f50230 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000149f50480 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 0000000149f503a0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 0000000149f502f0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000149f50350 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000149f50290 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 0000000149f502b0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 0000000149f503d0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000149f50330 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000149f50410 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000149f50240 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 0000000149f501e0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000149f50250 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000149f50490 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 0000000149f504a0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000149f50300 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000149f50360 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 0000000149f502a0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 0000000149f502c0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000149f50380 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000149f50340 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000149f50440 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000149f50260 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000149f50270 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000149f50400 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 0000000149f501f0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000149f50210 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000149f50200 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000149f50420 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000149f50430 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000149f50220 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000149f50280 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\system32\svchost.exe[804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\System32\svchost.exe[448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\ProgramData\IePluginService\PluginService.exe[1568] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\ProgramData\IePluginService\PluginService.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076de1465 2 bytes [DE, 76] .text C:\ProgramData\IePluginService\PluginService.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076de14bb 2 bytes [DE, 76] .text ... * 2 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1624] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\ProgramData\WPM\wprotectmanager.exe[1776] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\System32\spoolsv.exe[1896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000000776703e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 0000000077670400 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2040] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1124] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 5 bytes JMP 000000010013075c .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774e7ac0 5 bytes JMP 00000001001303a4 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077511430 5 bytes JMP 0000000100130b14 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077511490 5 bytes JMP 0000000100130ecc .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 000000010013163c .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775117b0 5 bytes JMP 0000000100131284 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 00000001001319f4 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaf6e00 5 bytes JMP 000007ff7db11dac .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaf6f2c 5 bytes JMP 000007ff7db10ecc .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaf7220 5 bytes JMP 000007ff7db11284 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaf739c 5 bytes JMP 000007ff7db1163c .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaf7538 5 bytes JMP 000007ff7db119f4 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaf75e8 5 bytes JMP 000007ff7db103a4 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaf790c 5 bytes JMP 000007ff7db1075c .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaf7ab4 5 bytes JMP 000007ff7db10b14 .text C:\Windows\system32\SearchIndexer.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 5 bytes JMP 00000001001e075c .text C:\Windows\system32\SearchIndexer.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774e7ac0 5 bytes JMP 00000001001e03a4 .text C:\Windows\system32\SearchIndexer.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077511430 5 bytes JMP 00000001001e0b14 .text C:\Windows\system32\SearchIndexer.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077511490 5 bytes JMP 00000001001e0ecc .text C:\Windows\system32\SearchIndexer.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 00000001001e163c .text C:\Windows\system32\SearchIndexer.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775117b0 5 bytes JMP 00000001001e1284 .text C:\Windows\system32\SearchIndexer.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 00000001001e19f4 .text C:\Windows\system32\SearchIndexer.exe[2024] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 5 bytes JMP 000000010018075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774e7ac0 5 bytes JMP 00000001001803a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077511360 5 bytes JMP 0000000077670460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775113b0 5 bytes JMP 0000000077670450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077511430 5 bytes JMP 0000000100180b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077511490 5 bytes JMP 0000000100180ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077511510 5 bytes JMP 0000000077670370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077511560 5 bytes JMP 0000000077670470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 000000010018163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 5 bytes JMP 0000000077670320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077511650 5 bytes JMP 00000000776703b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077511670 5 bytes JMP 0000000077670390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775116b0 5 bytes JMP 00000000776702e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077511730 5 bytes JMP 00000000776702d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 5 bytes JMP 0000000077670310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 5 bytes JMP 00000000776703c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775117b0 5 bytes JMP 0000000100181284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 5 bytes JMP 00000000776703f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077511940 5 bytes JMP 0000000077670230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 5 bytes JMP 0000000077670480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077511b30 5 bytes JMP 00000000776703a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077511c10 5 bytes JMP 00000000776702f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077511c20 5 bytes JMP 0000000077670350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077511c80 5 bytes JMP 0000000077670290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077511d10 5 bytes JMP 00000000776702b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 5 bytes JMP 00000000776703d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077511d40 5 bytes JMP 0000000077670330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077511db0 5 bytes JMP 0000000077670410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077511de0 5 bytes JMP 0000000077670240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 5 bytes JMP 00000000776701e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077512160 5 bytes JMP 0000000077670250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077512190 5 bytes JMP 0000000077670490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775121a0 5 bytes JMP 00000000776704a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775121d0 5 bytes JMP 0000000077670300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775121e0 5 bytes JMP 0000000077670360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077512240 5 bytes JMP 00000000776702a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077512290 5 bytes JMP 00000000776702c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775122c0 5 bytes JMP 0000000077670380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775122d0 5 bytes JMP 0000000077670340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775125c0 5 bytes JMP 0000000077670440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775127c0 5 bytes JMP 0000000077670260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775127d0 5 bytes JMP 0000000077670270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 00000001001819f4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 5 bytes JMP 00000000776701f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775129b0 5 bytes JMP 0000000077670210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 5 bytes JMP 0000000077670200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077512a80 5 bytes JMP 0000000077670420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077512a90 5 bytes JMP 0000000077670430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 5 bytes JMP 0000000077670220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077512b80 5 bytes JMP 0000000077670280 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000776bfac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000776bfb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776bfcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776c0038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000776c1920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[1656] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776dc4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[1656] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776e1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[1656] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000776bfac0 5 bytes JMP 0000000100030600 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000776bfb58 5 bytes JMP 0000000100030804 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776bfcb0 5 bytes JMP 0000000100030c0c .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776c0038 5 bytes JMP 0000000100030a08 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000776c1920 5 bytes JMP 0000000100030e10 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776dc4dd 5 bytes JMP 00000001000301f8 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776e1287 5 bytes JMP 00000001000303fc .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000076a9ee09 5 bytes JMP 00000001002601f8 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000076aa3982 5 bytes JMP 00000001002603fc .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076aa7603 5 bytes JMP 0000000100260804 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000076aa835c 5 bytes JMP 0000000100260600 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000076abf52b 5 bytes JMP 0000000100260a08 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000768d5181 5 bytes JMP 00000001003e1014 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000768d5254 5 bytes JMP 00000001003e0804 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768d53d5 5 bytes JMP 00000001003e0a08 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768d54c2 5 bytes JMP 00000001003e0c0c .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768d55e2 5 bytes JMP 00000001003e0e10 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000768d567c 5 bytes JMP 00000001003e01f8 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000768d589f 5 bytes JMP 00000001003e03fc .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000768d5a22 5 bytes JMP 00000001003e0600 .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076de1465 2 bytes [DE, 76] .text C:\Windows\system32\taskhost.exe[3472] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000076de14bb 2 bytes [DE, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaf6e00 5 bytes JMP 000007ff7db11dac .text C:\Windows\system32\svchost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaf6f2c 5 bytes JMP 000007ff7db10ecc .text C:\Windows\system32\svchost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaf7220 5 bytes JMP 000007ff7db11284 .text C:\Windows\system32\svchost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaf739c 5 bytes JMP 000007ff7db1163c .text C:\Windows\system32\svchost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaf7538 5 bytes JMP 000007ff7db119f4 .text C:\Windows\system32\svchost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaf75e8 5 bytes JMP 000007ff7db103a4 .text C:\Windows\system32\svchost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaf790c 5 bytes JMP 000007ff7db1075c .text C:\Windows\system32\svchost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaf7ab4 5 bytes JMP 000007ff7db10b14 .text C:\Windows\system32\vssvc.exe[4740] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaf6e00 5 bytes JMP 000007ff7db11dac .text C:\Windows\system32\vssvc.exe[4740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaf6f2c 5 bytes JMP 000007ff7db10ecc .text C:\Windows\system32\vssvc.exe[4740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaf7220 5 bytes JMP 000007ff7db11284 .text C:\Windows\system32\vssvc.exe[4740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaf739c 5 bytes JMP 000007ff7db1163c .text C:\Windows\system32\vssvc.exe[4740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaf7538 5 bytes JMP 000007ff7db119f4 .text C:\Windows\system32\vssvc.exe[4740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaf75e8 5 bytes JMP 000007ff7db103a4 .text C:\Windows\system32\vssvc.exe[4740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaf790c 5 bytes JMP 000007ff7db1075c .text C:\Windows\system32\vssvc.exe[4740] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaf7ab4 5 bytes JMP 000007ff7db10b14 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000776bfac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000776bfb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776bfcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776c0038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000776c1920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776dc4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776e1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000768d5181 5 bytes JMP 0000000100341014 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000768d5254 5 bytes JMP 0000000100340804 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768d53d5 5 bytes JMP 0000000100340a08 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768d54c2 5 bytes JMP 0000000100340c0c .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768d55e2 5 bytes JMP 0000000100340e10 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000768d567c 5 bytes JMP 00000001003401f8 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000768d589f 5 bytes JMP 00000001003403fc .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000768d5a22 5 bytes JMP 0000000100340600 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a9ee09 3 bytes JMP 00000001003501f8 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\syswow64\USER32.dll!SetWinEventHook + 4 0000000076a9ee0d 1 byte [89] .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076aa3982 5 bytes JMP 00000001003503fc .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076aa7603 5 bytes JMP 0000000100350804 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076aa835c 5 bytes JMP 0000000100350600 .text C:\Program Files (x86)\Cyfrowy Polsat E3276\Cyfrowy Polsat E3276.exe[4888] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076abf52b 5 bytes JMP 0000000100350a08 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000776bfac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000776bfb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776bfcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776c0038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000776c1920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776dc4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776e1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a9ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076aa3982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076aa7603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076aa835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076abf52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000768d5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000768d5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768d53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768d54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768d55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000768d567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000768d589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000768d5a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076de1465 2 bytes [DE, 76] .text C:\Program Files (x86)\RedApp\redApp.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076de14bb 2 bytes [DE, 76] .text ... * 2 .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 5 bytes JMP 000000010033075c .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774e7ac0 5 bytes JMP 00000001003303a4 .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077511430 5 bytes JMP 0000000100330b14 .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077511490 5 bytes JMP 0000000100330ecc .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 5 bytes JMP 000000010033163c .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000775117b0 5 bytes JMP 0000000100331284 .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775127e0 5 bytes JMP 00000001003319f4 .text C:\Windows\splwow64.exe[3312] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773feecd 1 byte [62] .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaf6e00 5 bytes JMP 000007ff7db11dac .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaf6f2c 5 bytes JMP 000007ff7db10ecc .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaf7220 5 bytes JMP 000007ff7db11284 .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaf739c 5 bytes JMP 000007ff7db1163c .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaf7538 5 bytes JMP 000007ff7db119f4 .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaf75e8 5 bytes JMP 000007ff7db103a4 .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaf790c 5 bytes JMP 000007ff7db1075c .text C:\Windows\splwow64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaf7ab4 5 bytes JMP 000007ff7db10b14 .text C:\Users\User\Downloads\nudjzdsu.exe[2456] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076eba2ba 1 byte [62] ---- Devices - GMER 2.1 ---- Device \Driver\usbscan \Device\Usbscan0 fffff88007a53d08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [164:3224] 000007feeff70ea8 Thread C:\Windows\system32\svchost.exe [164:3252] 000007feeff69db0 Thread C:\Windows\system32\svchost.exe [164:3376] 000007feeff71c94 Thread C:\Windows\system32\svchost.exe [164:3816] 000007feeff6aa10 Thread C:\Windows\system32\svchost.exe [1188:2016] 000007fefccd1a70 Thread C:\Windows\system32\svchost.exe [1188:1084] 000007fefccd1a70 Thread C:\Windows\system32\svchost.exe [1188:1344] 000007fefccd1a70 Thread C:\Windows\system32\svchost.exe [1188:1404] 000007fef8a32c70 Thread C:\Windows\system32\svchost.exe [1188:1684] 000007fef8a3fb40 Thread C:\Windows\system32\svchost.exe [1188:1388] 000007fef8a51d20 Thread C:\Windows\system32\svchost.exe [1188:1392] 000007fef8a3f6f0 Thread C:\Windows\system32\svchost.exe [1188:2876] 000007fef0c235c0 Thread C:\Windows\system32\svchost.exe [1188:2664] 000007fef0c25600 Thread C:\Windows\system32\svchost.exe [1188:3280] 000007feedc12888 Thread C:\Windows\system32\svchost.exe [1188:3316] 000007feefd22940 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2372] 000007fef7a2ff38 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2616] 000007fef719902c Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2620] 000007fef719902c Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2676] 000007fef719902c Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2708] 000007fef2c32020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2712] 000007fef2c32020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2716] 000007fef2c32020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2720] 000007fef2c32020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2724] 000007fef2c32020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2728] 000007fef2c32020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2732] 000007fef2c32020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2040:2736] 000007fef2c32020 Thread C:\Windows\system32\SearchIndexer.exe [2024:3268] 000007fef8fb5170 Thread C:\Windows\system32\SearchIndexer.exe [2024:3668] 000007feee7469ac Thread C:\Windows\system32\SearchIndexer.exe [2024:3676] 000007feee993dac Thread C:\Windows\system32\SearchIndexer.exe [2024:3680] 000007feee991700 Thread C:\Windows\system32\SearchIndexer.exe [2024:3696] 000007feee9bb248 Thread C:\Windows\system32\SearchIndexer.exe [2024:3700] 000007feee9bc4ac Thread C:\Windows\system32\SearchIndexer.exe [2024:4064] 000007feee7469ac Thread C:\Windows\System32\WUDFHost.exe [3544:3576] 000007fef06424a0 Thread C:\Windows\system32\taskhost.exe [1108:1588] 000007feefddef24 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2796](2013-10-16 15:34:57) 0000000000400000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2796](2013-10-16 15:34:57) 000000006fbc0000 Library C:\Users\User\Downloads\OTH.exe (*** suspicious ***) @ C:\Users\User\Downloads\OTH.exe [3472] 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 233 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1631934 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 233 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1631934 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----