GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-24 15:05:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 465,76GB Running: i6vly0fn.exe; Driver: C:\Users\user\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 000000014a220450 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 000000014a220440 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0xffffffffd2be2990} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 000000014a220360 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 000000014a220460 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 000000014a2203d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 000000014a220310 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 000000014a2203a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 000000014a220380 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 000000014a2202d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 000000014a2202c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0xffffffffd2be2490} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 000000014a220300 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 000000014a2203b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 000000014a2203e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 000000014a220220 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 000000014a220470 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 000000014a220390 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 000000014a2202e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 000000014a220340 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 000000014a220280 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 000000014a2202a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0xffffffffd2be1e90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 000000014a2203c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0xffffffffd2be1f90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 000000014a220320 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 000000014a220400 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 000000014a220230 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 000000014a2201d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 000000014a220240 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 000000014a220480 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 000000014a220490 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 000000014a2202f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 000000014a220350 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 000000014a220290 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 000000014a2202b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 000000014a220370 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 000000014a220330 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 000000014a220430 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 000000014a220250 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0xffffffffd2be1390} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 000000014a220260 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0xffffffffd2be1390} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 000000014a2203f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 000000014a2201e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 000000014a220200 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 000000014a2201f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 000000014a220410 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0xffffffffd2be1290} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 000000014a220420 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0xffffffffd2be1290} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 000000014a220210 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 000000014a220270 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\wininit.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 000000014a220450 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 000000014a220440 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0xffffffffd2be2990} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 000000014a220360 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 000000014a220460 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 000000014a2203d0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 000000014a220310 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 000000014a2203a0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 000000014a220380 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 000000014a2202d0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 000000014a2202c0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0xffffffffd2be2490} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 000000014a220300 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 000000014a2203b0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 000000014a2203e0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 000000014a220220 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 000000014a220470 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 000000014a220390 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 000000014a2202e0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 000000014a220340 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 000000014a220280 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 000000014a2202a0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0xffffffffd2be1e90} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 000000014a2203c0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0xffffffffd2be1f90} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 000000014a220320 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 000000014a220400 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 000000014a220230 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 000000014a2201d0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 000000014a220240 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 000000014a220480 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 000000014a220490 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 000000014a2202f0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 000000014a220350 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 000000014a220290 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 000000014a2202b0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 000000014a220370 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 000000014a220330 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 000000014a220430 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 000000014a220250 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0xffffffffd2be1390} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 000000014a220260 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0xffffffffd2be1390} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 000000014a2203f0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 000000014a2201e0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 000000014a220200 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 000000014a2201f0 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 000000014a220410 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0xffffffffd2be1290} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 000000014a220420 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0xffffffffd2be1290} .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 000000014a220210 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 000000014a220270 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0xffffffff88a32990} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0xffffffff88a32490} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0xffffffff88a31e90} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0xffffffff88a31f90} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0xffffffff88a31390} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0xffffffff88a31390} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0xffffffff88a31290} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0xffffffff88a31290} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0xffffffff88a32990} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0xffffffff88a32490} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0xffffffff88a31e90} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0xffffffff88a31f90} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0xffffffff88a31390} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0xffffffff88a31390} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0xffffffff88a31290} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0xffffffff88a31290} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1792] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076f48781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\System32\svchost.exe[2328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076801401 2 bytes JMP 76f6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076801419 2 bytes JMP 76f6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076801431 2 bytes JMP 76fe8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007680144a 2 bytes CALL 76f4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768014dd 2 bytes JMP 76fe88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768014f5 2 bytes JMP 76fe8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007680150d 2 bytes JMP 76fe87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076801525 2 bytes JMP 76fe8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007680153d 2 bytes JMP 76f5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076801555 2 bytes JMP 76f668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007680156d 2 bytes JMP 76fe9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076801585 2 bytes JMP 76fe8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007680159d 2 bytes JMP 76fe877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768015b5 2 bytes JMP 76f5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768015cd 2 bytes JMP 76f6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768016b2 2 bytes JMP 76fe8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768016bd 2 bytes JMP 76fe8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\System32\rundll32.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\conhost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077392ab1 5 bytes JMP 000000010084f4f2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076801401 2 bytes JMP 76f6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076801419 2 bytes JMP 76f6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076801431 2 bytes JMP 76fe8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007680144a 2 bytes CALL 76f4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768014dd 2 bytes JMP 76fe88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768014f5 2 bytes JMP 76fe8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007680150d 2 bytes JMP 76fe87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076801525 2 bytes JMP 76fe8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007680153d 2 bytes JMP 76f5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076801555 2 bytes JMP 76f668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007680156d 2 bytes JMP 76fe9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076801585 2 bytes JMP 76fe8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007680159d 2 bytes JMP 76fe877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768015b5 2 bytes JMP 76f5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768015cd 2 bytes JMP 76f6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768016b2 2 bytes JMP 76fe8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3996] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768016bd 2 bytes JMP 76fe8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!DbgBreakPoint 000000007763cc90 3 bytes [8B, 40, 30] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007763da60 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007763dab0 1 byte JMP 00000000777a0440 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007763dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007763dc10 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007763dc60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007763dc70 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007763dd20 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007763dd50 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007763dd70 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007763ddb0 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007763de30 1 byte JMP 00000000777a02c0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007763de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007763de50 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007763de90 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007763dee0 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007763e040 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007763e200 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007763e230 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007763e310 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007763e320 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007763e380 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007763e410 1 byte JMP 00000000777a02a0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007763e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007763e430 1 byte JMP 00000000777a03c0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007763e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007763e440 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007763e4b0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007763e4e0 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007763e7a0 5 bytes JMP 00000000777a01d0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007763e860 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007763e890 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007763e8a0 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007763e8d0 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007763e8e0 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007763e940 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007763e990 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007763e9c0 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007763e9d0 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007763ecc0 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007763eec0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007763eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007763eed0 1 byte JMP 00000000777a0260 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007763eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007763eee0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007763f0a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007763f0b0 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007763f120 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007763f180 1 byte JMP 00000000777a0410 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007763f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007763f190 1 byte JMP 00000000777a0420 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007763f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007763f1a0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007763f280 5 bytes JMP 00000000777a0270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3108] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076f48781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- Processes - GMER 2.1 ---- Library C:\Users\user\AppData\Local\Temp\70aeaca4-098f-4bcc-b0fa-e2544fb40678\CliSecureRT64.dll (*** suspicious ***) @ C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe [4048](2015-06-15 14:12:30) 0000000180000000 ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Program Files 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Program Files\AVAST Software 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Program Files\AVAST Software\Avast 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Program Files\AVAST Software\Avast\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData\NVIDIA Corporation 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData\NVIDIA Corporation\Drs 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData\NVIDIA Corporation\Drs\nvAppTimestamps 2764 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\ProgramData\NVIDIA Corporation\Drs\nvdrssel.bin 1 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-11 200704 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Archived History 249856 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Archived History-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000010 25939 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000024 21842 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000038 22482 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\data_0 45056 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\data_1 532480 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\data_2 1056768 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\data_3 4202496 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000001 23218 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000002 55543 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000003 20489 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000004 22956 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000005 34312 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000006 38344 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000007 34996 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000008 41920 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000009 31821 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000a 53228 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000b 291277 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000c 17244 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000d 44875 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000e 26059 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00000f 80293 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000011 16593 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000012 20261 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000013 23249 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000014 22609 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000015 22042 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000016 21866 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000017 18703 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000018 20062 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000019 19686 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001a 30048 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001b 17053 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001c 27446 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001d 28238 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001e 22207 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00001f 20166 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000020 18055 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000021 20029 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000022 25541 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000023 34442 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000025 19054 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000026 21266 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000027 17645 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000028 65002 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000029 19453 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002a 28295 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002b 18171 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002c 61434 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002d 149508 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002e 94633 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00002f 60999 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000030 35288 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000031 19089 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000032 18107 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000033 31505 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000034 31052 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000035 18844 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000036 28972 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000037 36328 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000039 21302 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003a 29263 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003b 38672 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003c 20071 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003d 32555 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003e 26693 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00003f 17417 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000040 22356 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000041 25009 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000042 21537 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000043 21883 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000044 22905 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000045 31655 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000046 19941 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000047 18648 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000048 21922 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_000049 35221 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00004a 24745 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00004b 26263 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00004c 25086 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\f_00004d 32267 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cache\index 524656 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cookies 31744 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Cookies-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Current Session 98541 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases\Databases.db 7168 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases\Databases.db-journal 5672 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases\http_www.fotka.pl_0 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\databases\http_www.fotka.pl_0\1 7168 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\000003.log 190 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\LOG 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension Rules\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\000003.log 285 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\LOG 47 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Extension State\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Favicons 20480 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Favicons-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\data_0 45056 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\data_1 270336 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\data_2 1056768 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\data_3 8192 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\GPUCache\index 524656 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History 466944 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-04 258048 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-04-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-10 36864 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-10-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2013-11-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2014-02 73728 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2014-02-journal 16384 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2014-03 409600 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Index 2014-03-journal 49760 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History Provider Cache 28723 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\History-journal 25136 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\JumpListIcons 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\JumpListIcons\BFA4.tmp 28134 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\JumpListIcons\BFA5.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\JumpListIcons\BFA6.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\https_ls.hit.gemius.pl_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\https_ls.hit.gemius.pl_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_ls.hit.gemius.pl_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_ls.hit.gemius.pl_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_spolecznosci.net_0.localstorage 7168 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_spolecznosci.net_0.localstorage-journal 7736 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_www.fotka.pl_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_www.fotka.pl_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_www.youtube.com_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Local Storage\http_www.youtube.com_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Network Action Predictor 23552 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Network Action Predictor-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Origin Bound Certs 7168 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Origin Bound Certs-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Preferences 14164 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\QuotaManager 13312 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\QuotaManager-journal 8768 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\README 186 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\000003.log 508 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\LOG 47 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Session Storage\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Shortcuts 12288 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Shortcuts-journal 8720 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Top Sites 20480 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Top Sites-journal 12824 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\User StyleSheets 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\User StyleSheets\Custom.css 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Visited Links 131072 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Web Data 77824 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Default\Web Data-journal 4624 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Local State 14170 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Safe Browsing Cookies 6144 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\sfzone_profile\Safe Browsing Cookies-journal 1544 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\History 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 128 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Local\Temp 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\bbcdn-bbnaut.ibillboard.com 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\bbcdn-bbnaut.ibillboard.com\server-static-files 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\bbcdn-bbnaut.ibillboard.com\server-static-files\bbnaut-b.swf 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\bbcdn-bbnaut.ibillboard.com\server-static-files\bbnaut-b.swf\bbcookie.sol 73 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LZ3V23DH\s.ytimg.com 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bbcdn-bbnaut.ibillboard.com 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bbcdn-bbnaut.ibillboard.com\settings.sol 97 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 3429 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft\Windows\Recent 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\98e247023708b752.customDestinations-ms 8287 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Windows\Prefetch 0 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\C\Windows\Prefetch\SAFEZONEBROWSER.EXE-EA1E6E17.pf 28922 bytes File C:\avast! sandbox\S-1-5-21-3017187921-1793405025-1133042684-1000\sfzone\snx_fs.dat 34192 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 37888 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{09b1705f-a7a3-11e3-99a9-8c89a55524ba}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{09b1705f-a7a3-11e3-99a9-8c89a55524ba}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{09b1705f-a7a3-11e3-99a9-8c89a55524ba}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----