GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-26 00:48:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.2AR1 931,51GB Running: ywrvxv7u.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\kfrdapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000149810460 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000149810450 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000149810370 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000149810470 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000001498103e0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000149810320 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000001498103b0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000149810390 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000001498102e0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000001498102d0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000149810310 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000001498103c0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000001498103f0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000149810230 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000149810480 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000001498103a0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000001498102f0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000149810350 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000149810290 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000001498102b0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000001498103d0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000149810330 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000149810410 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000149810240 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000001498101e0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000149810250 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000149810490 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000001498104a0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000149810300 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000149810360 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000001498102a0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000001498102c0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000149810380 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000149810340 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000149810440 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000149810260 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000149810270 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000149810400 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000001498101f0 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000149810210 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000149810200 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000149810420 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000149810430 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000149810220 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000149810280 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000149810460 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000149810450 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000149810370 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000149810470 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000001498103e0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000149810320 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000001498103b0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000149810390 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000001498102e0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000001498102d0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000149810310 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000001498103c0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000001498103f0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000149810230 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000149810480 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000001498103a0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000001498102f0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000149810350 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000149810290 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000001498102b0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000001498103d0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000149810330 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000149810410 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000149810240 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000001498101e0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000149810250 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000149810490 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000001498104a0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000149810300 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000149810360 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000001498102a0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000001498102c0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000149810380 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000149810340 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000149810440 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000149810260 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000149810270 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000149810400 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000001498101f0 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000149810210 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000149810200 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000149810420 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000149810430 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000149810220 .text C:\Windows\system32\csrss.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000149810280 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\services.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\services.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e0ef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\lsass.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\svchost.exe[180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e0ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e0ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\taskhost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\Explorer.EXE[836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e0ef8d 1 byte [62] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000103aa0460 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000103aa0450 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000103aa0370 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000103aa0470 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 0000000103aa03e0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000103aa0320 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 0000000103aa03b0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000103aa0390 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 0000000103aa02e0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 0000000103aa02d0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000103aa0310 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 0000000103aa03c0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 0000000103aa03f0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000103aa0230 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000103aa0480 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 0000000103aa03a0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 0000000103aa02f0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000103aa0350 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000103aa0290 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 0000000103aa02b0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 0000000103aa03d0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000103aa0330 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000103aa0410 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000103aa0240 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 0000000103aa01e0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000103aa0250 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000103aa0490 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 0000000103aa04a0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000103aa0300 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000103aa0360 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 0000000103aa02a0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 0000000103aa02c0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000103aa0380 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000103aa0340 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000103aa0440 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000103aa0260 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000103aa0270 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000103aa0400 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 0000000103aa01f0 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000103aa0210 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000103aa0200 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000103aa0420 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000103aa0430 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000103aa0220 .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000103aa0280 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[2752] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000759da2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2576] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000759da2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000077180460 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000077180450 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000077180370 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000077180470 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000000771803e0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000077180320 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000000771803b0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000077180390 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000000771802e0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000000771802d0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000077180310 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000000771803c0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000000771803f0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000077180230 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000077180480 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000000771803a0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000000771802f0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000077180350 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000077180290 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000000771802b0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000000771803d0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000077180330 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000077180410 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000077180240 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000000771801e0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000077180250 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000077180490 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000000771804a0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000077180300 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000077180360 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000000771802a0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000000771802c0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000077180380 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000077180340 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000077180440 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000077180260 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000077180270 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000077180400 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000000771801f0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000077180210 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000077180200 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000077180420 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000077180430 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000077180220 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000077180280 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e0ef8d 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3172] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000759da2fd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077021360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077021510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077021560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077021570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077021620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077021670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077021730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077021750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077021790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077021940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077021b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077021b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077021c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077021c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077021c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077021d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077021d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077021db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077021de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077022160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077022190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077022240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077022290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077022a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077022a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077022a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077022aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077022b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000771cfac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000771cfb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771cfcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000771d0038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000771d1920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2008] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771ec4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2008] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000771f1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2008] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000759da2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000771cfac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000771cfb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771cfcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000771d0038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000771d1920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3532] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771ec4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000771f1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3532] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000759da2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000771cfac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000771cfb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771cfcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000771d0038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000771d1920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771ec4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000771f1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000759da2fd 1 byte [62] .text C:\Users\Lenovo\Downloads\ywrvxv7u.exe[5156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000759da2fd 1 byte [62] ---- Processes - GMER 2.1 ---- Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 0000000069ad0000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000069000000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752](2014-10-22 00:22:50) 0000000068f40000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000068930000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (ICU I18N DLL/The ICU Project)(2014-10-22 00:22:50) 000000004a900000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (ICU Common DLL/The ICU Project)(2014-10-22 00:22:50) 00000000044d0000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (ICU Data DLL/The ICU Project)(2014-10-22 00:22:50) 000000004ad00000 Library c:\users\lenovo\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmptv87jw.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752](2015-01-16 09:51:10) 0000000003f80000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 00000000664a0000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000065480000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000065230000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000064fd0000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 000000006a230000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752](2014-10-22 00:22:50) 000000006a070000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 0000000069a30000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 000000006a1f0000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 000000006a1a0000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752](2014-10-22 00:22:48) 000000006a0c0000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2752](2014-10-22 00:22:46) 0000000069a90000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 423 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 26525051 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689dc48669 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0143dcd086c Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 423 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 26525051 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689dc48669 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0143dcd086c (not active ControlSet) ---- EOF - GMER 2.1 ----