GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-05 22:15:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\00000063 WDC_WD50 rev.01.0 465,76GB Running: t0bymegg.exe; Driver: C:\Users\lupus\AppData\Local\Temp\kwddqkod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 819 fffff80002fff123 35 bytes [6B, 24, 92, D6, 68, F8, 24, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 855 fffff80002fff147 77 bytes {MOV EAX, 0x292b77ce; JRCXZ 0x3d; MOV EBX, 0x1d1b2936; JMP QWORD [RIP+0x632db7d9]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000149af0460 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000149af0450 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000149af0370 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000149af0470 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 0000000149af03e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000149af0320 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 0000000149af03b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000149af0390 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 0000000149af02e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 0000000149af02d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000149af0310 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 0000000149af03c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 0000000149af03f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000149af0230 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000149af0480 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 0000000149af03a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 0000000149af02f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000149af0350 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000149af0290 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 0000000149af02b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 0000000149af03d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000149af0330 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000149af0410 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000149af0240 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 0000000149af01e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000149af0250 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000149af0490 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 0000000149af04a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000149af0300 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000149af0360 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 0000000149af02a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 0000000149af02c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000149af0380 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000149af0340 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000149af0440 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000149af0260 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000149af0270 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000149af0400 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 0000000149af01f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000149af0210 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000149af0200 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000149af0420 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000149af0430 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000149af0220 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000149af0280 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\wininit.exe[484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000100040460 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000100040450 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000100040370 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000100040470 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000100040320 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000100040390 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000100040310 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000100040230 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000100040480 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000100040350 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000100040290 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000100040330 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000100040410 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000100040240 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000100040250 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000100040490 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000001000404a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000100040300 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000100040360 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000100040340 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000100040260 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000100040270 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000100040210 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000100040200 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000100040420 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000100040430 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000100040220 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000100040280 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\winlogon.exe[632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\atieclxx.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000756ca2ba 1 byte [62] .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000760b1401 2 bytes JMP 756cb1d3 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000760b1419 2 bytes JMP 756cb2fe C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000760b1431 2 bytes JMP 75748939 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000760b144a 2 bytes CALL 756a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000760b14dd 2 bytes JMP 75748232 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000760b14f5 2 bytes JMP 75748408 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000760b150d 2 bytes JMP 75748128 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000760b1525 2 bytes JMP 757484f2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000760b153d 2 bytes JMP 756bfc70 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000760b1555 2 bytes JMP 756c68b7 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000760b156d 2 bytes JMP 757489f1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000760b1585 2 bytes JMP 75748552 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000760b159d 2 bytes JMP 757480ec C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000760b15b5 2 bytes JMP 756bfd09 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000760b15cd 2 bytes JMP 756cb294 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000760b16b2 2 bytes JMP 757488b4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\eSafe\eGdpSvc.exe[1320] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000760b16bd 2 bytes JMP 75748081 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000756ca2ba 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2608] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000756ca2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000756ca2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000752417fa 2 bytes CALL 756a11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000075241860 2 bytes CALL 756a11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000075241a22 2 bytes [24, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000075241ad0 2 bytes [24, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000075241b08 2 bytes [24, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000760b1401 2 bytes JMP 756cb1d3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000760b1419 2 bytes JMP 756cb2fe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000760b1431 2 bytes JMP 75748939 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000760b144a 2 bytes CALL 756a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760b14dd 2 bytes JMP 75748232 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760b14f5 2 bytes JMP 75748408 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000760b150d 2 bytes JMP 75748128 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000760b1525 2 bytes JMP 757484f2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000760b153d 2 bytes JMP 756bfc70 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000760b1555 2 bytes JMP 756c68b7 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000760b156d 2 bytes JMP 757489f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000760b1585 2 bytes JMP 75748552 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000760b159d 2 bytes JMP 757480ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760b15b5 2 bytes JMP 756bfd09 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760b15cd 2 bytes JMP 756cb294 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760b16b2 2 bytes JMP 757488b4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760b16bd 2 bytes JMP 75748081 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\svchost.exe[2928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\SearchIndexer.exe[2380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2752] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000756ca2ba 1 byte [62] .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000756ca2ba 1 byte [62] .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 00000000760b1401 2 bytes JMP 756cb1d3 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 00000000760b1419 2 bytes JMP 756cb2fe C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 00000000760b1431 2 bytes JMP 75748939 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 00000000760b144a 2 bytes CALL 756a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000760b14dd 2 bytes JMP 75748232 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000760b14f5 2 bytes JMP 75748408 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 00000000760b150d 2 bytes JMP 75748128 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 00000000760b1525 2 bytes JMP 757484f2 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 00000000760b153d 2 bytes JMP 756bfc70 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 00000000760b1555 2 bytes JMP 756c68b7 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 00000000760b156d 2 bytes JMP 757489f1 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 00000000760b1585 2 bytes JMP 75748552 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 00000000760b159d 2 bytes JMP 757480ec C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000760b15b5 2 bytes JMP 756bfd09 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000760b15cd 2 bytes JMP 756cb294 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000760b16b2 2 bytes JMP 757488b4 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000760b16bd 2 bytes JMP 75748081 C:\Windows\syswow64\kernel32.dll .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\notepad.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\notepad.exe[1148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777e1360 5 bytes JMP 0000000077940460 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777e13b0 5 bytes JMP 0000000077940450 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777e1510 5 bytes JMP 0000000077940370 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777e1560 5 bytes JMP 0000000077940470 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777e1570 5 bytes JMP 00000000779403e0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777e1620 5 bytes JMP 0000000077940320 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777e1650 5 bytes JMP 00000000779403b0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777e1670 5 bytes JMP 0000000077940390 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777e16b0 5 bytes JMP 00000000779402e0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777e1730 5 bytes JMP 00000000779402d0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777e1750 5 bytes JMP 0000000077940310 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777e1790 5 bytes JMP 00000000779403c0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777e17e0 5 bytes JMP 00000000779403f0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777e1940 5 bytes JMP 0000000077940230 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777e1b00 5 bytes JMP 0000000077940480 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777e1b30 5 bytes JMP 00000000779403a0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777e1c10 5 bytes JMP 00000000779402f0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777e1c20 5 bytes JMP 0000000077940350 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777e1c80 5 bytes JMP 0000000077940290 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777e1d10 5 bytes JMP 00000000779402b0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777e1d30 5 bytes JMP 00000000779403d0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777e1d40 5 bytes JMP 0000000077940330 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777e1db0 5 bytes JMP 0000000077940410 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777e1de0 5 bytes JMP 0000000077940240 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777e20a0 5 bytes JMP 00000000779401e0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777e2160 5 bytes JMP 0000000077940250 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777e2190 5 bytes JMP 0000000077940490 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777e21a0 5 bytes JMP 00000000779404a0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777e21d0 5 bytes JMP 0000000077940300 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777e21e0 5 bytes JMP 0000000077940360 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777e2240 5 bytes JMP 00000000779402a0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777e2290 5 bytes JMP 00000000779402c0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777e22c0 5 bytes JMP 0000000077940380 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777e22d0 5 bytes JMP 0000000077940340 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777e25c0 5 bytes JMP 0000000077940440 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777e27c0 5 bytes JMP 0000000077940260 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777e27d0 5 bytes JMP 0000000077940270 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777e27e0 5 bytes JMP 0000000077940400 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777e29a0 5 bytes JMP 00000000779401f0 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777e29b0 5 bytes JMP 0000000077940210 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777e2a20 5 bytes JMP 0000000077940200 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777e2a80 5 bytes JMP 0000000077940420 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777e2a90 5 bytes JMP 0000000077940430 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777e2aa0 5 bytes JMP 0000000077940220 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777e2b80 5 bytes JMP 0000000077940280 .text C:\Windows\system32\AUDIODG.EXE[1668] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000776ceecd 1 byte [62] .text D:\Pobrane\t0bymegg.exe[3976] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000756ca2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1112:2144] 000007fefba02a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1112:3476] 000007fee67cd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1112:2712] 000007feea895124 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 12 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 28205 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D13233B8-C025-46DF-8466-13F42953EB06}@LeaseObtainedTime 1386277976 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D13233B8-C025-46DF-8466-13F42953EB06}@T1 1386278026 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D13233B8-C025-46DF-8466-13F42953EB06}@T2 1386278063 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D13233B8-C025-46DF-8466-13F42953EB06}@LeaseTerminatesTime 1386278076 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 12 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 28205 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus\Parameters (not active ControlSet) ---- EOF - GMER 2.1 ----