GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-18 20:23:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-22JJ5T0 rev.01.01A01 298,09GB Running: egyox7y0.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pgloapod.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 000000014a660440 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 000000014a660430 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 000000014a660450 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffffd384ee90} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000014a6603b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 000000014a660320 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 000000014a660380 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 000000014a6602e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 000000014a660410 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 000000014a6602d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 000000014a660310 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 000000014a660390 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 000000014a6603c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 000000014a660230 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffffd384e890} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 000000014a660460 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 000000014a660370 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 000000014a6602f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 000000014a660350 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 000000014a660290 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 000000014a6602b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 000000014a6603a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 000000014a660330 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffffd384e590} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 000000014a6603e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 000000014a660240 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 000000014a6601e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 000000014a660250 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffffd384e090} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 000000014a660470 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 000000014a660480 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 000000014a660300 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 000000014a660360 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 000000014a6602a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 000000014a6602c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 000000014a660340 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 000000014a660420 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 000000014a660260 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 000000014a660270 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 000000014a6603d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffffd384db90} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 000000014a6601f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 000000014a660210 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 000000014a660200 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 000000014a6603f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 000000014a660400 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 000000014a660220 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 000000014a660280 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000100040430 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000100040450 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffff8922ee90} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000100040320 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000100040410 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000100040310 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000100040390 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000100040230 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffff8922e890} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000100040460 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000100040370 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000100040350 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000100040290 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000100040330 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffff8922e590} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000100040240 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000100040250 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffff8922e090} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000100040470 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000100040480 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000100040300 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000100040360 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000100040340 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000100040420 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000100040260 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000100040270 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 00000001000403d0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffff8922db90} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000100040210 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000100040200 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000100040220 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000100040280 .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffff8930ee90} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffff8930e890} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffff8930e590} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffff8930e090} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffff8930db90} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\services.exe[576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffff8925ee90} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffff8925e890} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffff8925e590} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffff8925e090} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffff8925db90} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffff8925ee90} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffff8925e890} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffff8925e590} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffff8925e090} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffff8925db90} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\svchost.exe[768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\nvvsvc.exe[848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffff8925ee90} .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffff8925e890} .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffff8925e590} .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffff8925e090} .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffff8925db90} .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076bc9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd543460 7 bytes JMP 000007fffd4d00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd549940 6 bytes JMP 000007fffd4d0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd549fb0 5 bytes JMP 000007fffd4d0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd54a150 5 bytes JMP 000007fffd4d0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe5289e0 8 bytes JMP 000007fffd4d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe52be40 8 bytes JMP 000007fffd4d01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe987490 11 bytes JMP 000007fffd4d0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1164] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe99bf00 7 bytes JMP 000007fffd4d0260 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\nvvsvc.exe[1176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffff8925ee90} .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffff8925e890} .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffff8925e590} .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffff8925e090} .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffff8925db90} .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\Dwm.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\Explorer.EXE[1436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 0000000076f703b0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010011075c .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001001103a4 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100110b14 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100110ecc .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010011163c .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100111284 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 00000001002f075c .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001002f03a4 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 00000001002f0b14 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 00000001002f0ecc .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffff8925ee90} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001002f163c .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 00000001002f1284 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffff8925e890} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffff8925e590} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffff8925e090} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffff8925db90} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100171014 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100170804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100170a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100170c0c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100170e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001701f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001703fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100170600 .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\cFosSpeed\spd.exe[2136] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2392] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100110a08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 00000001000f1014 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 00000001000f0804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 00000001000f0a08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 00000001000f0c0c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 00000001000f0e10 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001000f01f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001000f03fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 00000001000f0600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001001f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001003fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100100600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100100804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2488] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100100a08 .text C:\Windows\system32\svchost.exe[2548] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\system32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\system32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\system32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\system32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\system32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\system32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\system32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 00000001003f075c .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001003f03a4 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 00000001003f0b14 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 00000001003f0ecc .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001003f163c .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 00000001003f1284 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\System32\hkcmd.exe[2684] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010040075c .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001004003a4 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100400b14 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100400ecc .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010040163c .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100401284 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000076bc9640 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd543460 7 bytes JMP 000007fffd4d00d8 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd549940 6 bytes JMP 000007fffd4d0148 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd549fb0 5 bytes JMP 000007fffd4d0180 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd54a150 5 bytes JMP 000007fffd4d0110 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe5289e0 8 bytes JMP 000007fffd4d01f0 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe52be40 8 bytes JMP 000007fffd4d01b8 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe987490 11 bytes JMP 000007fffd4d0228 .text C:\Windows\System32\igfxpers.exe[2724] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe99bf00 7 bytes JMP 000007fffd4d0260 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000076bc9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd543460 7 bytes JMP 000007fffd4d00d8 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd549940 6 bytes JMP 000007fffd4d0148 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd549fb0 5 bytes JMP 000007fffd4d0180 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd54a150 5 bytes JMP 000007fffd4d0110 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe5289e0 8 bytes JMP 000007fffd4d01f0 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe52be40 8 bytes JMP 000007fffd4d01b8 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe987490 11 bytes JMP 000007fffd4d0228 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2740] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe99bf00 7 bytes JMP 000007fffd4d0260 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010020075c .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001002003a4 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100200b14 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100200ecc .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010020163c .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100201284 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd543460 7 bytes JMP 000007fffd4d00d8 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd549940 6 bytes JMP 000007fffd4d0148 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd549fb0 5 bytes JMP 000007fffd4d0180 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd54a150 5 bytes JMP 000007fffd4d0110 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe5289e0 8 bytes JMP 000007fffd4d01f0 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe52be40 8 bytes JMP 000007fffd4d01b8 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\TightVNC\tvnserver.exe[2856] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010018075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001001803a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100180b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100180ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010018163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100181284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000076bc9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd543460 7 bytes JMP 000007fffd4d00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd549940 6 bytes JMP 000007fffd4d0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd549fb0 5 bytes JMP 000007fffd4d0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd54a150 5 bytes JMP 000007fffd4d0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe5289e0 8 bytes JMP 000007fffd4d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2928] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe52be40 8 bytes JMP 000007fffd4d01b8 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100161014 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100160c0c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100160e10 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2940] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100160600 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 00000001001a075c .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001001a03a4 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 00000001001a0b14 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 00000001001a0ecc .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001001a163c .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 00000001001a1284 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\TightVNC\tvnserver.exe[2964] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010017075c .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001001703a4 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100170b14 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100170ecc .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010017163c .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100171284 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2104] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010026075c .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001002603a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100260b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100260ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010026163c .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100261284 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000076bc9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd543460 7 bytes JMP 000007fffd4d00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd549940 6 bytes JMP 000007fffd4d0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd549fb0 5 bytes JMP 000007fffd4d0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd54a150 5 bytes JMP 000007fffd4d0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe5289e0 8 bytes JMP 000007fffd4d01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe52be40 8 bytes JMP 000007fffd4d01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe987490 11 bytes JMP 000007fffd4d0228 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe99bf00 7 bytes JMP 000007fffd4d0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef9994da4 7 bytes JMP 000007fff99800d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2080] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef99b9af4 7 bytes JMP 000007fff9980110 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010030075c .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001003003a4 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100300b14 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100300ecc .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010030163c .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100301284 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2424] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010032075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001003203a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100320b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100320ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010032163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100321284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 00000001000b1014 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 00000001000b0c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 00000001000b0e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001000c01f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001000c03fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 00000001000c0600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 00000001000c0804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2880] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 00000001000c0a08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2912] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2912] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f71401 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f71419 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f71431 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f7144a 2 bytes [F7, 76] .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f714dd 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f714f5 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f7150d 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f71525 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f7153d 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f71555 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f7156d 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f71585 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f7159d 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f715b5 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f715cd 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f716b2 2 bytes [F7, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f716bd 2 bytes [F7, 76] .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Program Files (x86)\FeedReader30\feedreader.exe[3396] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100191014 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100190804 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100190a08 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100190c0c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100190e10 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001901f8 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001903fc .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100190600 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074cd5ea5 5 bytes JMP 00000001734815d2 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe[3464] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074d09d0b 5 bytes JMP 000000017348122b .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3552] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 00000001002a075c .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001002a03a4 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 00000001002a0b14 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 00000001002a0ecc .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0xffffffff8925ee90} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 00000001002a163c .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 00000001002a1284 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0xffffffff8925e890} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0xffffffff8925e590} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0xffffffff8925e090} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0xffffffff8925db90} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\system32\svchost.exe[3888] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074cd5ea5 5 bytes JMP 00000001734815d2 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074d09d0b 5 bytes JMP 000000017348122b .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f71401 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f71419 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f71431 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f7144a 2 bytes [F7, 76] .text ... * 9 .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f714dd 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f714f5 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f7150d 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f71525 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f7153d 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f71555 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f7156d 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f71585 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f7159d 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f715b5 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f715cd 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f716b2 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f716bd 2 bytes [F7, 76] .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010031075c .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001003103a4 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100310b14 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100310ecc .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010031163c .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100311284 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000076bc9640 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd543460 7 bytes JMP 000007fffd4d00d8 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd549940 6 bytes JMP 000007fffd4d0148 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd549fb0 5 bytes JMP 000007fffd4d0180 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd54a150 5 bytes JMP 000007fffd4d0110 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe5289e0 8 bytes JMP 000007fffd4d01f0 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe52be40 8 bytes JMP 000007fffd4d01b8 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe[3360] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010031075c .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001003103a4 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100310b14 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100310ecc .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010031163c .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100311284 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\system32\SearchIndexer.exe[3700] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Windows\System32\svchost.exe[4044] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[4044] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\System32\svchost.exe[4044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\System32\svchost.exe[4044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\System32\svchost.exe[4044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\System32\svchost.exe[4044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\System32\svchost.exe[4044] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\System32\svchost.exe[4044] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\System32\svchost.exe[4044] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Windows\System32\svchost.exe[4044] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000076a598f0 5 bytes JMP 000000010035075c .text C:\Windows\System32\svchost.exe[4044] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 0000000076a5fe60 5 bytes JMP 0000000100351284 .text C:\Windows\System32\svchost.exe[4044] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076a62294 2 bytes JMP 0000000100350ecc .text C:\Windows\System32\svchost.exe[4044] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 3 0000000076a62297 2 bytes [8E, 89] .text C:\Windows\System32\svchost.exe[4044] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076a671e8 5 bytes JMP 00000001003503a4 .text C:\Windows\System32\svchost.exe[4044] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076a79320 5 bytes JMP 0000000100350b14 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Windows\System32\WUDFHost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\System32\WUDFHost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\System32\WUDFHost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\System32\WUDFHost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\System32\WUDFHost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\System32\WUDFHost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\System32\WUDFHost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\System32\WUDFHost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100121014 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100120c0c .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100120e10 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f71401 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f71419 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f71431 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f7144a 2 bytes [F7, 76] .text ... * 9 .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f714dd 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f714f5 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f7150d 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f71525 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f7153d 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f71555 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f7156d 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f71585 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f7159d 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f715b5 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f715cd 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f716b2 2 bytes [F7, 76] .text C:\Program Files (x86)\Kadu\kadu.exe[4780] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f716bd 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f71401 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f71419 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f71431 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f7144a 2 bytes [F7, 76] .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f714dd 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f714f5 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f7150d 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f71525 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f7153d 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f71555 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f7156d 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f71585 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f7159d 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f715b5 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f715cd 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f716b2 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f716bd 2 bytes [F7, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2532] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100110600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100100600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100100804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100100c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100100a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001001001f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001001003fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001101f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001103fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100110600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100110804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100110a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100121014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100120804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100120a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100120c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100120e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001201f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001203fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100120600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074cd5ea5 5 bytes JMP 00000001734815d2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074d09d0b 5 bytes JMP 000000017348122b .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f71401 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f71419 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f71431 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f7144a 2 bytes [F7, 76] .text ... * 9 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f714dd 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f714f5 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f7150d 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f71525 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f7153d 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f71555 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f7156d 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f71585 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f7159d 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f715b5 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f715cd 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f716b2 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f716bd 2 bytes [F7, 76] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fbf991 8 bytes {MOV EDX, 0x1d03e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 0000000076fbf99b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 0000000076fbfa0d 8 bytes {MOV EDX, 0x1d01a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 15 0000000076fbfa17 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100270600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 0000000076fbfb25 8 bytes {MOV EDX, 0x1d0168; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 15 0000000076fbfb2f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100270804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fbfbd5 8 bytes {MOV EDX, 0x1d0428; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 0000000076fbfbdf 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fbfc05 8 bytes {MOV EDX, 0x1d0368; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 0000000076fbfc0f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fbfc1d 8 bytes {MOV EDX, 0x1d0128; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 0000000076fbfc27 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fbfc35 8 bytes {MOV EDX, 0x1d04e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 0000000076fbfc3f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fbfc65 8 bytes {MOV EDX, 0x1d0528; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 0000000076fbfc6f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100270c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fbfce5 8 bytes {MOV EDX, 0x1d04a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 0000000076fbfcef 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fbfcfd 8 bytes {MOV EDX, 0x1d0468; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 0000000076fbfd07 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fbfd49 8 bytes {MOV EDX, 0x1d0068; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 15 0000000076fbfd53 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 5 0000000076fbfdad 8 bytes {MOV EDX, 0x1d02e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 15 0000000076fbfdb7 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fbfe41 8 bytes {MOV EDX, 0x1d00a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 0000000076fbfe4b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 0000000076fbff89 8 bytes {MOV EDX, 0x1d02a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 15 0000000076fbff93 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100270a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fc0099 8 bytes {MOV EDX, 0x1d0028; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 15 0000000076fc00a3 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 5 0000000076fc0781 8 bytes {MOV EDX, 0x1d0268; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 15 0000000076fc078b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000076fc0ffd 8 bytes {MOV EDX, 0x1d01e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 15 0000000076fc1007 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 5 0000000076fc105d 8 bytes {MOV EDX, 0x1d0228; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 15 0000000076fc1067 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fc10a5 8 bytes {MOV EDX, 0x1d03a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 0000000076fc10af 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fc111d 8 bytes {MOV EDX, 0x1d0328; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 15 0000000076fc1127 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fc1321 8 bytes {MOV EDX, 0x1d00e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 0000000076fc132b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001002701f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001002703fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007548103d 5 bytes JMP 0000000100010030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075481072 5 bytes JMP 0000000100010070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNELBASE.dll!CreateEventW 000000007576119f 3 bytes JMP 0000000100020030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNELBASE.dll!CreateEventW + 4 00000000757611a3 1 byte [8A] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNELBASE.dll!OpenEventW 00000000757611cf 3 bytes JMP 0000000100020070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNELBASE.dll!OpenEventW + 4 00000000757611d3 1 byte [8A] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetDeviceCaps 0000000074974de0 5 bytes JMP 00000001002903b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SelectObject 0000000074974f70 5 bytes JMP 00000001002905f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SetBkMode 00000000749751a2 5 bytes JMP 00000001002908f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SetTextColor 000000007497522d 5 bytes JMP 0000000100290a30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!DeleteObject 0000000074975689 5 bytes JMP 00000001002901b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000749758b3 5 bytes JMP 0000000100290170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetCurrentObject 0000000074976bad 5 bytes JMP 0000000100290370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SaveDC 0000000074976e05 5 bytes JMP 0000000100290570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!RestoreDC 0000000074976ead 5 bytes JMP 0000000100290530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SetStretchBltMode 0000000074977180 5 bytes JMP 00000001002906b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!StretchDIBits 0000000074977435 5 bytes JMP 0000000100290770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074977bcc 5 bytes JMP 00000001002900b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!IntersectClipRect 0000000074977dc4 5 bytes JMP 00000001002903f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetTextAlign 0000000074977fd5 5 bytes JMP 0000000100290d70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetTextMetricsW 00000000749782b2 5 bytes JMP 0000000100290e30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SetTextAlign 0000000074978401 5 bytes JMP 00000001002909f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!ExtSelectClipRgn 000000007497879f 5 bytes JMP 00000001002902f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SelectClipRgn 0000000074978916 5 bytes JMP 00000001002905b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!ExtTextOutW 0000000074978b7a 5 bytes JMP 0000000100290970 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!MoveToEx 0000000074978ee6 5 bytes JMP 0000000100290470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetFontData 0000000074979875 5 bytes JMP 0000000100290c70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetTextFaceW 0000000074979936 5 bytes JMP 0000000100290d30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!Rectangle 000000007497a53a 5 bytes JMP 00000001002909b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetClipBox 000000007497af9f 5 bytes JMP 0000000100290330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!LineTo 000000007497b9e5 5 bytes JMP 0000000100290430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SetICMMode 000000007497bd55 5 bytes JMP 0000000100290db0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!CreateICW 000000007497c040 5 bytes JMP 0000000100290130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32W 000000007497c107 5 bytes JMP 0000000100290670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SetWorldTransform 000000007497c269 5 bytes JMP 00000001002906f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetTextMetricsA 000000007497d1f1 5 bytes JMP 0000000100290df0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32A 000000007497d349 5 bytes JMP 0000000100290630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!ExtTextOutA 000000007497dce4 5 bytes JMP 0000000100290930 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007497e743 5 bytes JMP 00000001002900f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!ExtEscape 00000000749803b7 5 bytes JMP 00000001002902b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!Escape 0000000074981bda 5 bytes JMP 0000000100290270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetTextFaceA 0000000074981e89 5 bytes JMP 0000000100290cf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SetPolyFillMode 0000000074984843 5 bytes JMP 0000000100290b30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SetMiterLimit 0000000074985690 5 bytes JMP 0000000100290b70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!EndPage 0000000074986bde 5 bytes JMP 0000000100290230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!ResetDCW 000000007498e2db 5 bytes JMP 0000000100290ab0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!GetGlyphOutlineW 000000007499940d 5 bytes JMP 0000000100290cb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!CreateScalableFontResourceW 000000007499c621 5 bytes JMP 0000000100290bb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 000000007499d2b2 5 bytes JMP 0000000100290bf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!RemoveFontResourceW 000000007499d919 5 bytes JMP 0000000100290c30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!AbortDoc 00000000749a3adc 5 bytes JMP 0000000100290030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!EndDoc 00000000749a3f29 5 bytes JMP 00000001002901f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!StartPage 00000000749a401a 5 bytes JMP 0000000100290730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!StartDocW 00000000749a4c51 5 bytes JMP 00000001002907f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!BeginPath 00000000749a53fd 5 bytes JMP 0000000100290830 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!SelectClipPath 00000000749a5454 5 bytes JMP 0000000100290af0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!CloseFigure 00000000749a54af 5 bytes JMP 0000000100290070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!EndPath 00000000749a5506 5 bytes JMP 0000000100290a70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!StrokePath 00000000749a573f 5 bytes JMP 00000001002907b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!FillPath 00000000749a57d2 5 bytes JMP 0000000100290870 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!PolylineTo 00000000749a5c44 5 bytes JMP 00000001002904f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!PolyBezierTo 00000000749a5cd5 5 bytes JMP 00000001002904b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\GDI32.dll!PolyDraw 00000000749a5d87 5 bytes JMP 00000001002908b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!MapWindowPoints 000000007566819d 5 bytes JMP 00000001002a0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 000000007566c55d 5 bytes JMP 00000001002a02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001002b01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 00000000756705ff 5 bytes JMP 00000001002a02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetClientRect 00000000756708e5 7 bytes JMP 00000001002a05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetParent 0000000075670b0e 7 bytes JMP 00000001002a06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!IsWindowVisible 0000000075670cd5 7 bytes JMP 00000001002a06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075670f14 5 bytes JMP 00000001002a05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!MonitorFromWindow 00000000756727db 7 bytes JMP 00000001002a0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!ScreenToClient 000000007567361b 7 bytes JMP 00000001002a0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001002b03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!SetCursor 0000000075674076 5 bytes JMP 00000001002a0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetTopWindow 0000000075677a54 7 bytes JMP 00000001002a0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 00000001002b0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!IsClipboardFormatAvailable 00000000756787c9 5 bytes JMP 00000001002a00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetClipboardSequenceNumber 00000000756787e9 5 bytes JMP 00000001002a0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!CloseClipboard 00000000756791f4 5 bytes JMP 00000001002a00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!OpenClipboard 0000000075679232 5 bytes JMP 00000001002a0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!ActivateKeyboardLayout 0000000075679485 5 bytes JMP 00000001002a04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!EnumClipboardFormats 000000007567b779 5 bytes JMP 00000001002a01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetOpenClipboardWindow 000000007567b798 5 bytes JMP 00000001002a03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!CountClipboardFormats 000000007567b7b6 5 bytes JMP 00000001002a01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007567b7e6 5 bytes JMP 00000001002a04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetClipboardOwner 000000007567cee9 5 bytes JMP 00000001002a0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 00000001002b0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameW 0000000075680880 5 bytes JMP 00000001002a0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!ChangeClipboardChain 000000007568ec67 5 bytes JMP 00000001002a0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameA 000000007568f66f 5 bytes JMP 00000001002a0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 00000001002b0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!SetClipboardData 00000000756a8de7 5 bytes JMP 00000001002a0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!SetCursorPos 00000000756a9c8d 5 bytes JMP 00000001002a0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756a9f3b 5 bytes JMP 00000001002a0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!EmptyClipboard 00000000756c7e49 5 bytes JMP 00000001002a0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetClipboardViewer 00000000756c82a1 5 bytes JMP 00000001002a0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\USER32.dll!GetPriorityClipboardFormat 00000000756c84bf 5 bytes JMP 00000001002a03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 00000001002c1014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 00000001002c0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 00000001002c0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 00000001002c0c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 00000001002c0e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001002c01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001002c03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 00000001002c0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!FreeContextBuffer 0000000074699606 5 bytes JMP 00000001003500f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!FreeCredentialsHandle 00000000746a0581 5 bytes JMP 0000000100350130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!DeleteSecurityContext 00000000746a0bb9 5 bytes JMP 0000000100350270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!ApplyControlToken 00000000746a0c2e 5 bytes JMP 00000001003501b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!QueryContextAttributesA 00000000746a0f2e 5 bytes JMP 0000000100350070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!QueryCredentialsAttributesA 00000000746a1096 5 bytes JMP 00000001003500b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000746a124e 5 bytes JMP 00000001003501f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 00000000746a129d 5 bytes JMP 0000000100350230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!AcquireCredentialsHandleA 00000000746a1527 5 bytes JMP 0000000100350030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\SspiCli.dll!InitializeSecurityContextA 00000000746a1590 5 bytes JMP 0000000100350170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074cd5ea5 5 bytes JMP 00000001734815d2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074d09d0b 5 bytes JMP 000000017348122b .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\ole32.dll!OleSetClipboard 0000000074d20045 5 bytes JMP 0000000100360030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\ole32.dll!OleIsCurrentClipboard 0000000074d236b2 5 bytes JMP 0000000100360070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\ole32.dll!OleGetClipboard 0000000074d4fdcd 5 bytes JMP 00000001003600b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000381401 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000381419 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000381431 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000038144a 2 bytes [38, 00] .text ... * 9 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000003814dd 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000003814f5 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000038150d 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000381525 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000038153d 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000381555 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000038156d 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000381585 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000038159d 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000003815b5 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000003815cd 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000003816b2 2 bytes [38, 00] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000003816bd 2 bytes [38, 00] .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076de3ae0 5 bytes JMP 000000010018075c .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076de7a90 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e113c0 5 bytes JMP 0000000076f70440 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e11410 5 bytes JMP 0000000076f70430 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e11490 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076e114f0 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e115c0 1 byte JMP 0000000076f70450 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076e115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e115d0 5 bytes JMP 000000010018163c .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e11680 5 bytes JMP 0000000076f70320 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e116b0 5 bytes JMP 0000000076f70380 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e11710 5 bytes JMP 0000000076f702e0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e11760 5 bytes JMP 0000000076f70410 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e11790 5 bytes JMP 0000000076f702d0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e117b0 5 bytes JMP 0000000076f70310 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e117f0 5 bytes JMP 0000000076f70390 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076e11810 5 bytes JMP 0000000100181284 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e11840 5 bytes JMP 0000000076f703c0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e119a0 1 byte JMP 0000000076f70230 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e11b60 5 bytes JMP 0000000076f70460 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e11b90 5 bytes JMP 0000000076f70370 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e11c70 5 bytes JMP 0000000076f702f0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e11c80 5 bytes JMP 0000000076f70350 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e11ce0 5 bytes JMP 0000000076f70290 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e11d70 5 bytes JMP 0000000076f702b0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e11d90 5 bytes JMP 0000000076f703a0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e11da0 1 byte JMP 0000000076f70330 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e11e10 5 bytes JMP 0000000076f703e0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e11e40 5 bytes JMP 0000000076f70240 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e12100 5 bytes JMP 0000000076f701e0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e121c0 1 byte JMP 0000000076f70250 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e121f0 5 bytes JMP 0000000076f70470 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e12200 5 bytes JMP 0000000076f70480 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e12230 5 bytes JMP 0000000076f70300 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e12240 5 bytes JMP 0000000076f70360 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e122a0 5 bytes JMP 0000000076f702a0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e122f0 5 bytes JMP 0000000076f702c0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e12330 5 bytes JMP 0000000076f70340 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e12620 5 bytes JMP 0000000076f70420 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e12820 5 bytes JMP 0000000076f70260 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e12830 5 bytes JMP 0000000076f70270 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e12840 1 byte JMP 0000000076f703d0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076e12842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e12a00 5 bytes JMP 0000000076f701f0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e12a10 5 bytes JMP 0000000076f70210 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e12a80 5 bytes JMP 0000000076f70200 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e12ae0 5 bytes JMP 0000000076f703f0 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e12af0 5 bytes JMP 0000000076f70400 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e12b00 5 bytes JMP 0000000076f70220 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e12be0 5 bytes JMP 0000000076f70280 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\system32\AUDIODG.EXE[3956] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 00000001001e1014 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 00000001001e0c0c .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 00000001001e0e10 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074cd5ea5 5 bytes JMP 00000001734815d2 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074d09d0b 5 bytes JMP 000000017348122b .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000006611401 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000006611419 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000006611431 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000661144a 2 bytes [61, 06] .text ... * 9 .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000066114dd 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000066114f5 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000661150d 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000006611525 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000661153d 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000006611555 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000661156d 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000006611585 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000661159d 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000066115b5 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000066115cd 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000066116b2 2 bytes [61, 06] .text C:\Program Files (x86)\Winamp\winamp.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000066116bd 2 bytes [61, 06] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 00000001001e1014 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 00000001001e0c0c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 00000001001e0e10 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000079e1401 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000079e1419 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000079e1431 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000079e144a 2 bytes [9E, 07] .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000079e14dd 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000079e14f5 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000079e150d 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000079e1525 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000079e153d 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000079e1555 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000079e156d 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000079e1585 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000079e159d 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000079e15b5 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000079e15cd 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000079e16b2 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000079e16bd 2 bytes [9E, 07] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000006e7411a8 2 bytes [74, 6E] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000006e74127d 2 bytes [74, 6E] .text ... * 6 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000006e7413a8 2 bytes [74, 6E] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000006e741422 2 bytes [74, 6E] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2540] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000006e741498 2 bytes [74, 6E] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\user32.DLL!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001002d01f8 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001002d03fc .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075678364 5 bytes JMP 00000001002d0600 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 00000000756806b3 5 bytes JMP 00000001002d0804 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 00000001002d0a08 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 00000001002e1014 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 00000001002e0804 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 00000001002e0a08 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 00000001002e0c0c .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 00000001002e0e10 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001002e01f8 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001002e03fc .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 00000001002e0600 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000002421401 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000002421419 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000002421431 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000000242144a 2 bytes [42, 02] .text ... * 9 .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000024214dd 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000024214f5 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000000242150d 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000002421525 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000000242153d 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000002421555 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000000242156d 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000002421585 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000000242159d 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000024215b5 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000024215cd 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000024216b2 2 bytes [42, 02] .text C:\Users\Mateusz\Desktop\OTL.exe[4752] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000024216bd 2 bytes [42, 02] .text C:\Windows\System32\svchost.exe[4756] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe386e00 5 bytes JMP 000007ff7e3a1dac .text C:\Windows\System32\svchost.exe[4756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe386f2c 5 bytes JMP 000007ff7e3a0ecc .text C:\Windows\System32\svchost.exe[4756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe387220 5 bytes JMP 000007ff7e3a1284 .text C:\Windows\System32\svchost.exe[4756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe38739c 5 bytes JMP 000007ff7e3a163c .text C:\Windows\System32\svchost.exe[4756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe387538 5 bytes JMP 000007ff7e3a19f4 .text C:\Windows\System32\svchost.exe[4756] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3875e8 5 bytes JMP 000007ff7e3a03a4 .text C:\Windows\System32\svchost.exe[4756] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe38790c 5 bytes JMP 000007ff7e3a075c .text C:\Windows\System32\svchost.exe[4756] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe387ab4 5 bytes JMP 000007ff7e3a0b14 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076fbfaa0 5 bytes JMP 0000000100030600 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076fbfb38 5 bytes JMP 0000000100030804 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fbfc90 5 bytes JMP 0000000100030c0c .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fc0018 5 bytes JMP 0000000100030a08 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fdc45a 5 bytes JMP 00000001000301f8 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fe1217 5 bytes JMP 00000001000303fc .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075491429 7 bytes JMP 000000017348128a .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754aa30a 1 byte [62] .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 00000000754ab223 5 bytes JMP 000000017348158c .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000755288f4 7 bytes JMP 0000000173481334 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075528979 5 bytes JMP 00000001734816a4 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075528ccf 5 bytes JMP 000000017348101e .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075761d1b 5 bytes JMP 00000001734811d1 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075761dc9 5 bytes JMP 0000000173481019 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 0000000173481546 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075762d0a 5 bytes JMP 0000000173481271 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000751c5181 5 bytes JMP 0000000100241014 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000751c5254 5 bytes JMP 0000000100240804 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000751c53d5 5 bytes JMP 0000000100240a08 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000751c54c2 5 bytes JMP 0000000100240c0c .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000751c55e2 5 bytes JMP 0000000100240e10 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000751c567c 5 bytes JMP 00000001002401f8 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000751c589f 5 bytes JMP 00000001002403fc .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000751c5a22 5 bytes JMP 0000000100240600 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007498e9a2 5 bytes JMP 00000001734815a0 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007498ebdc 5 bytes JMP 000000017348119f .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007566f0e6 5 bytes JMP 00000001002501f8 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075673907 5 bytes JMP 00000001002503fc .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075678364 5 bytes JMP 0000000100250600 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756806b3 5 bytes JMP 0000000100250804 .text C:\Users\Mateusz\Desktop\egyox7y0.exe[4724] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075690efc 5 bytes JMP 0000000100250a08 ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef4572750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef4572b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef4577de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef4578130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef4571908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef4571c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef45781d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef4572878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef4577a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef4576c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef45777bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef4577064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef4576544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2128] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef4575e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.0 ---- Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1488] 0000000076ff2e25 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1492] 000000007310345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1504] 00000000751c7587 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1512] 0000000072948d60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1536] 00000000726e6fe0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1540] 00000000726e6900 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1628] 000000007310345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1640] 000000007310345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1648] 00000000726dc220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1652] 00000000726dc220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1656] 00000000726dc220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1660] 00000000726dd470 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1820] 00000000726dca80 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1824] 00000000726f86a0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1828] 00000000726f7480 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1832] 00000000726f7850 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1836] 00000000726de780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1840] 00000000726de780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1844] 00000000726de780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1848] 00000000719412f0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1852] 0000000071942c10 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1856] 0000000071942c10 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1860] 0000000071911070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1864] 000000007310345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1868] 000000007310345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1872] 00000000718c12f0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1876] 00000000718a1000 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1880] 00000000726e7b60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1884] 00000000726de280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1888] 000000007310345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1892] 00000000727f5400 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1900] 00000000719116a0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1904] 0000000071786120 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1924] 00000000718a1280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1928] 0000000072944290 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1932] 000000007310345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1940] 0000000072948650 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1944] 00000000729528c0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1948] 0000000072956680 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1952] 0000000072949280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1960] 0000000071391670 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1964] 0000000071391840 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1968] 000000007294b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1972] 000000007294b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1976] 000000007294b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1980] 000000007294b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1984] 000000007294b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1988] 0000000072950a60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1992] 000000007310345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1136] 00000000714b62ee Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1184] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1204] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1236] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1252] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1292] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1232] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1320] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1356] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1408] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1404] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1460] 00000000731032ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1472] 0000000076ff3e45 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1800] 0000000076ff3e45 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1372:1156] 0000000076ff3e45 Thread C:\Windows\System32\svchost.exe [4044:4612] 000007fef0bc9688 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4332] 0000000076ff2e25 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4160] 000000006c9cb280 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4456] 000000006ca07199 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4520] 000000006cab19e0 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:188] 000000006cab5a70 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:148] 000000006769628d Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2292] 00000000676952c2 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2288] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2364] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2344] 00000000714b62ee Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2348] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4148] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:464] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4436] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2836] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2000] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2060] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3848] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:720] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:404] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:5104] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4748] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:700] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3876] 00000000709132fb Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3180] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3716] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4264] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3492] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:1332] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:196] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4312] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4260] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4504] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3868] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3744] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:1096] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3344] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4804] 0000000067c7670b Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3228] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3048] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:2888] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3220] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4944] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3144] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4400] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3936] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3724] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4628] 0000000074ec42ed Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:896] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3996] 000000006e7527e1 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:5112] 0000000070f327c1 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4376] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:912] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4772] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4104] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4180] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:764] 000000006cc2c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4828] 0000000074ced864 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4128] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4100] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4820] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3732] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:3232] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [4352:4932] 0000000076ff3e45 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [648:4240] 000007fefe970168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [648:4884] 000007fefba52a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [648:4912] 000007feed63d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [648:3260] 000007fef6b65124 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:1584] 00000000676952c2 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:4896] 000000006420eb50 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:736] 000000006420eb50 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:2676] 0000000076ff2e25 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:4892] 0000000076ff3e45 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:4908] 000000006420eb50 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:4856] 000000006420eb50 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:3816] 000000006e7527e1 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [4544:3136] 0000000076ff3e45 ---- Processes - GMER 2.0 ---- Library ? (*** suspicious ***) @ C:\Windows\System32\svchost.exe [4044] 000007fefcbe0000 Library ? (*** suspicious ***) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [648] 000007fefe770000 ---- EOF - GMER 2.0 ----