GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-16 17:23:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 465,76GB Running: i6vly0fn.exe; Driver: C:\Users\user\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 0000000149730450 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 0000000149730440 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {MOV EBP, [RCX]; CALL RCX} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 0000000149730360 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 0000000149730460 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000001497303d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 0000000149730310 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000001497303a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 0000000149730380 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000001497302d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000001497302c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0xffffffffd1ff2490} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 0000000149730300 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000001497303b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000001497303e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 0000000149730220 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 0000000149730470 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 0000000149730390 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000001497302e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 0000000149730340 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 0000000149730280 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000001497302a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {MOV EBX, [RSI]; CALL RCX} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000001497303c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {MOV EBX, [RDI]; CALL RCX} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 0000000149730320 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 0000000149730400 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 0000000149730230 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000001497301d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 0000000149730240 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 0000000149730480 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 0000000149730490 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000001497302f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 0000000149730350 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 0000000149730290 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000001497302b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 0000000149730370 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 0000000149730330 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 0000000149730430 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 0000000149730250 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {MOV EDX, [RBX]; CALL RCX} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 0000000149730260 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {MOV EDX, [RBX]; CALL RCX} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000001497303f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000001497301e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 0000000149730200 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000001497301f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 0000000149730410 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {MOV EDX, [RDX]; CALL RCX} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 0000000149730420 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {MOV EDX, [RDX]; CALL RCX} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 0000000149730210 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 0000000149730270 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\wininit.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 0000000149730450 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 0000000149730440 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {MOV EBP, [RCX]; CALL RCX} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 0000000149730360 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 0000000149730460 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000001497303d0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 0000000149730310 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000001497303a0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 0000000149730380 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000001497302d0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000001497302c0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0xffffffffd1ff2490} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 0000000149730300 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000001497303b0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000001497303e0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 0000000149730220 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 0000000149730470 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 0000000149730390 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000001497302e0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 0000000149730340 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 0000000149730280 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000001497302a0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {MOV EBX, [RSI]; CALL RCX} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000001497303c0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {MOV EBX, [RDI]; CALL RCX} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 0000000149730320 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 0000000149730400 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 0000000149730230 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000001497301d0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 0000000149730240 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 0000000149730480 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 0000000149730490 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000001497302f0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 0000000149730350 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 0000000149730290 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000001497302b0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 0000000149730370 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 0000000149730330 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 0000000149730430 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 0000000149730250 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {MOV EDX, [RBX]; CALL RCX} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 0000000149730260 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {MOV EDX, [RBX]; CALL RCX} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000001497303f0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000001497301e0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 0000000149730200 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000001497301f0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 0000000149730410 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {MOV EDX, [RDX]; CALL RCX} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 0000000149730420 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {MOV EDX, [RDX]; CALL RCX} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 0000000149730210 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 0000000149730270 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 0000000100040450 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 0000000100040440 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0xffffffff88902990} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 0000000100040360 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 0000000100040460 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 0000000100040310 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 0000000100040380 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000001000402c0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0xffffffff88902490} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 0000000100040300 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 0000000100040220 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 0000000100040470 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 0000000100040390 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 0000000100040340 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 0000000100040280 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000001000402a0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0xffffffff88901e90} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000001000403c0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0xffffffff88901f90} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 0000000100040320 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 0000000100040230 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000001000401d0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 0000000100040240 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 0000000100040480 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 0000000100040490 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 0000000100040350 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 0000000100040290 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 0000000100040370 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 0000000100040330 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 0000000100040430 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 0000000100040250 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0xffffffff88901390} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 0000000100040260 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0xffffffff88901390} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 0000000100040200 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 0000000100040410 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0xffffffff88901290} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 0000000100040420 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0xffffffff88901290} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 0000000100040210 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 0000000100040270 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0xffffffff88932990} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0xffffffff88932490} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0xffffffff88931e90} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0xffffffff88931f90} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0xffffffff88931390} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0xffffffff88931390} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0xffffffff88931290} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0xffffffff88931290} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 0000000100060450 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 0000000100060440 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0xffffffff88922990} .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 0000000100060360 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 0000000100060460 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 0000000100060310 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 0000000100060380 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000001000602c0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0xffffffff88922490} .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 0000000100060300 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 0000000100060220 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 0000000100060470 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 0000000100060390 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 0000000100060340 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 0000000100060280 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000001000602a0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0xffffffff88921e90} .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000001000603c0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0xffffffff88921f90} .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 0000000100060320 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 0000000100060230 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000001000601d0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 0000000100060240 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 0000000100060480 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 0000000100060490 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 0000000100060350 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 0000000100060290 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 0000000100060370 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 0000000100060330 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 0000000100060430 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 0000000100060250 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0xffffffff88921390} .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 0000000100060260 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0xffffffff88921390} .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 0000000100060200 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 0000000100060410 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0xffffffff88921290} .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 0000000100060420 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0xffffffff88921290} .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 0000000100060210 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 0000000100060270 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0xffffffff88932990} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0xffffffff88932490} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0xffffffff88931e90} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0xffffffff88931f90} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0xffffffff88931390} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0xffffffff88931390} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0xffffffff88931290} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0xffffffff88931290} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\Dwm.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1884] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000773d8781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0xffffffff88932990} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0xffffffff88932490} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0xffffffff88931e90} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0xffffffff88931f90} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0xffffffff88931390} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0xffffffff88931390} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0xffffffff88931290} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0xffffffff88931290} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2ab1 5 bytes JMP 0000000100e1f4f2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d61401 2 bytes JMP 773fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d61419 2 bytes JMP 773fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d61431 2 bytes JMP 77478fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d6144a 2 bytes CALL 773d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d614dd 2 bytes JMP 774788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d614f5 2 bytes JMP 77478aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d6150d 2 bytes JMP 774787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d61525 2 bytes JMP 77478b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d6153d 2 bytes JMP 773efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d61555 2 bytes JMP 773f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d6156d 2 bytes JMP 77479089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d61585 2 bytes JMP 77478bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d6159d 2 bytes JMP 7747877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d615b5 2 bytes JMP 773efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d615cd 2 bytes JMP 773fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d616b2 2 bytes JMP 77478f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1084] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d616bd 2 bytes JMP 77478713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!DbgBreakPoint 000000007773cc90 3 bytes [8B, 40, 30] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d61401 2 bytes JMP 773fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d61419 2 bytes JMP 773fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d61431 2 bytes JMP 77478fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d6144a 2 bytes CALL 773d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d614dd 2 bytes JMP 774788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d614f5 2 bytes JMP 77478aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d6150d 2 bytes JMP 774787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d61525 2 bytes JMP 77478b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d6153d 2 bytes JMP 773efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d61555 2 bytes JMP 773f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d6156d 2 bytes JMP 77479089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d61585 2 bytes JMP 77478bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d6159d 2 bytes JMP 7747877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d615b5 2 bytes JMP 773efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d615cd 2 bytes JMP 773fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d616b2 2 bytes JMP 77478f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d616bd 2 bytes JMP 77478713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\System32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\conhost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000773d8781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d61401 2 bytes JMP 773fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d61419 2 bytes JMP 773fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d61431 2 bytes JMP 77478fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d6144a 2 bytes CALL 773d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d614dd 2 bytes JMP 774788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d614f5 2 bytes JMP 77478aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d6150d 2 bytes JMP 774787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d61525 2 bytes JMP 77478b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d6153d 2 bytes JMP 773efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d61555 2 bytes JMP 773f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d6156d 2 bytes JMP 77479089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d61585 2 bytes JMP 77478bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d6159d 2 bytes JMP 7747877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d615b5 2 bytes JMP 773efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d615cd 2 bytes JMP 773fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d616b2 2 bytes JMP 77478f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d616bd 2 bytes JMP 77478713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d61401 2 bytes JMP 773fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d61419 2 bytes JMP 773fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d61431 2 bytes JMP 77478fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d6144a 2 bytes CALL 773d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d614dd 2 bytes JMP 774788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d614f5 2 bytes JMP 77478aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d6150d 2 bytes JMP 774787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d61525 2 bytes JMP 77478b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d6153d 2 bytes JMP 773efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d61555 2 bytes JMP 773f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d6156d 2 bytes JMP 77479089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d61585 2 bytes JMP 77478bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d6159d 2 bytes JMP 7747877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d615b5 2 bytes JMP 773efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d615cd 2 bytes JMP 773fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d616b2 2 bytes JMP 77478f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d616bd 2 bytes JMP 77478713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\AUDIODG.EXE[4852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d61401 2 bytes JMP 773fb21b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d61419 2 bytes JMP 773fb346 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d61431 2 bytes JMP 77478fd1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d6144a 2 bytes CALL 773d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d614dd 2 bytes JMP 774788c4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d614f5 2 bytes JMP 77478aa0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d6150d 2 bytes JMP 774787ba C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d61525 2 bytes JMP 77478b8a C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d6153d 2 bytes JMP 773efca8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d61555 2 bytes JMP 773f68ef C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d6156d 2 bytes JMP 77479089 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d61585 2 bytes JMP 77478bea C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d6159d 2 bytes JMP 7747877e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d615b5 2 bytes JMP 773efd41 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d615cd 2 bytes JMP 773fb2dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d616b2 2 bytes JMP 77478f4c C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4477\Agent.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d616bd 2 bytes JMP 77478713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\conhost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d61401 2 bytes JMP 773fb21b C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d61419 2 bytes JMP 773fb346 C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d61431 2 bytes JMP 77478fd1 C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d6144a 2 bytes CALL 773d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d614dd 2 bytes JMP 774788c4 C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d614f5 2 bytes JMP 77478aa0 C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d6150d 2 bytes JMP 774787ba C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d61525 2 bytes JMP 77478b8a C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d6153d 2 bytes JMP 773efca8 C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d61555 2 bytes JMP 773f68ef C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d6156d 2 bytes JMP 77479089 C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d61585 2 bytes JMP 77478bea C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d6159d 2 bytes JMP 7747877e C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d615b5 2 bytes JMP 773efd41 C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d615cd 2 bytes JMP 773fb2dc C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d616b2 2 bytes JMP 77478f4c C:\Windows\syswow64\kernel32.dll .text D:\gry\WOW WoD Beta\Battle.net\Battle.net.6233\Battle.net.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d616bd 2 bytes JMP 77478713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007773da60 5 bytes JMP 00000000778a0450 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007773dab0 1 byte JMP 00000000778a0440 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007773dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007773dc10 5 bytes JMP 00000000778a0360 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007773dc60 5 bytes JMP 00000000778a0460 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007773dc70 5 bytes JMP 00000000778a03d0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007773dd20 5 bytes JMP 00000000778a0310 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007773dd50 5 bytes JMP 00000000778a03a0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007773dd70 5 bytes JMP 00000000778a0380 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007773ddb0 5 bytes JMP 00000000778a02d0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007773de30 1 byte JMP 00000000778a02c0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007773de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007773de50 5 bytes JMP 00000000778a0300 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007773de90 5 bytes JMP 00000000778a03b0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007773dee0 5 bytes JMP 00000000778a03e0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007773e040 5 bytes JMP 00000000778a0220 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007773e200 5 bytes JMP 00000000778a0470 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007773e230 5 bytes JMP 00000000778a0390 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007773e310 5 bytes JMP 00000000778a02e0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007773e320 5 bytes JMP 00000000778a0340 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007773e380 5 bytes JMP 00000000778a0280 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007773e410 1 byte JMP 00000000778a02a0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007773e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007773e430 1 byte JMP 00000000778a03c0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007773e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007773e440 5 bytes JMP 00000000778a0320 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007773e4b0 5 bytes JMP 00000000778a0400 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007773e4e0 5 bytes JMP 00000000778a0230 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007773e7a0 5 bytes JMP 00000000778a01d0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007773e860 5 bytes JMP 00000000778a0240 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007773e890 5 bytes JMP 00000000778a0480 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007773e8a0 5 bytes JMP 00000000778a0490 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007773e8d0 5 bytes JMP 00000000778a02f0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007773e8e0 5 bytes JMP 00000000778a0350 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007773e940 5 bytes JMP 00000000778a0290 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007773e990 5 bytes JMP 00000000778a02b0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007773e9c0 5 bytes JMP 00000000778a0370 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007773e9d0 5 bytes JMP 00000000778a0330 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007773ecc0 5 bytes JMP 00000000778a0430 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007773eec0 1 byte JMP 00000000778a0250 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007773eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007773eed0 1 byte JMP 00000000778a0260 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007773eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007773eee0 5 bytes JMP 00000000778a03f0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007773f0a0 5 bytes JMP 00000000778a01e0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007773f0b0 5 bytes JMP 00000000778a0200 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007773f120 5 bytes JMP 00000000778a01f0 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007773f180 1 byte JMP 00000000778a0410 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007773f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007773f190 1 byte JMP 00000000778a0420 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007773f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007773f1a0 5 bytes JMP 00000000778a0210 .text C:\Windows\system32\svchost.exe[5224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007773f280 5 bytes JMP 00000000778a0270 ---- Processes - GMER 2.1 ---- Library C:\Users\user\AppData\Local\Temp\70aeaca4-098f-4bcc-b0fa-e2544fb40678\CliSecureRT64.dll (*** suspicious ***) @ C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe [2056](2015-06-15 14:12:30) 0000000180000000 ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Program Files 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Program Files\AVAST Software 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Program Files\AVAST Software\Avast 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Program Files\AVAST Software\Avast\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData\NVIDIA Corporation 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData\NVIDIA Corporation\Drs 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData\NVIDIA Corporation\Drs\nvAppTimestamps 2764 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData\NVIDIA Corporation\Drs\nvdrssel.bin 1 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-11 200704 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Archived History 249856 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Archived History-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000010 25939 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000024 21842 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000038 22482 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\data_0 45056 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\data_1 532480 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\data_2 1056768 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\data_3 4202496 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000001 23218 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000002 55543 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000003 20489 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000004 22956 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000005 34312 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000006 38344 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000007 34996 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000008 41920 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000009 31821 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000a 53228 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000b 291277 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000c 17244 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000d 44875 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000e 26059 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000f 80293 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000011 16593 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000012 20261 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000013 23249 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000014 22609 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000015 22042 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000016 21866 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000017 18703 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000018 20062 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000019 19686 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001a 30048 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001b 17053 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001c 27446 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001d 28238 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001e 22207 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001f 20166 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000020 18055 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000021 20029 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000022 25541 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000023 34442 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000025 19054 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000026 21266 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000027 17645 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000028 65002 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000029 19453 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002a 28295 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002b 18171 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002c 61434 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002d 149508 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002e 94633 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002f 60999 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000030 35288 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000031 19089 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000032 18107 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000033 31505 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000034 31052 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000035 18844 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000036 28972 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000037 36328 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000039 21302 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003a 29263 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003b 38672 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003c 20071 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003d 32555 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003e 26693 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003f 17417 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000040 22356 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000041 25009 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000042 21537 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000043 21883 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000044 22905 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000045 31655 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000046 19941 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000047 18648 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000048 21922 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000049 35221 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00004a 24745 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00004b 26263 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00004c 25086 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00004d 32267 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\index 524656 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cookies 31744 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cookies-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Current Session 98541 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases\Databases.db 7168 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases\Databases.db-journal 5672 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases\http_www.fotka.pl_0 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases\http_www.fotka.pl_0\1 7168 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\000003.log 190 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\LOG 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\000003.log 285 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\LOG 47 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Favicons 20480 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Favicons-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\data_0 45056 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\data_1 270336 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\data_2 1056768 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\data_3 8192 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\index 524656 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History 466944 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-04 258048 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-04-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-10 36864 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-10-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-11-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2014-02 73728 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2014-02-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2014-03 409600 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2014-03-journal 49760 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Provider Cache 28723 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History-journal 25136 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\JumpListIcons 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\JumpListIcons\BFA4.tmp 28134 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\JumpListIcons\BFA5.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\JumpListIcons\BFA6.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\https_ls.hit.gemius.pl_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\https_ls.hit.gemius.pl_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_ls.hit.gemius.pl_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_ls.hit.gemius.pl_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_spolecznosci.net_0.localstorage 7168 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_spolecznosci.net_0.localstorage-journal 7736 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_www.fotka.pl_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_www.fotka.pl_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_www.youtube.com_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_www.youtube.com_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Network Action Predictor 23552 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Network Action Predictor-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Origin Bound Certs 7168 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Origin Bound Certs-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Preferences 14164 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\QuotaManager 13312 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\QuotaManager-journal 8768 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\README 186 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\000003.log 508 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\LOG 47 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Shortcuts 12288 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Shortcuts-journal 8720 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Top Sites 20480 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Top Sites-journal 12824 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\User StyleSheets 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\User StyleSheets\Custom.css 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Visited Links 131072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Web Data 77824 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Web Data-journal 4624 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Local State 14170 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Safe Browsing Cookies 6144 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Safe Browsing Cookies-journal 1544 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\History 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 128 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Temp 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\bbcdn-bbnaut.ibillboard.com 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\bbcdn-bbnaut.ibillboard.com\server-static-files 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\bbcdn-bbnaut.ibillboard.com\server-static-files\bbnaut-b.swf 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\bbcdn-bbnaut.ibillboard.com\server-static-files\bbnaut-b.swf\bbcookie.sol 73 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\s.ytimg.com 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bbcdn-bbnaut.ibillboard.com 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bbcdn-bbnaut.ibillboard.com\settings.sol 97 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 3429 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft\Windows\Recent 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\98e247023708b752.customDestinations-ms 8287 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Windows\Prefetch 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Windows\Prefetch\SAFEZONEBROWSER.EXE-EA1E6E17.pf 28922 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\snx_fs.dat 34192 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 37888 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{09b1705f-a7a3-11e3-99a9-8c89a55524ba}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{09b1705f-a7a3-11e3-99a9-8c89a55524ba}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{09b1705f-a7a3-11e3-99a9-8c89a55524ba}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----