GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-20 14:14:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000070 ST932032 rev.0002 298,09GB Running: rr5qwnvl.exe; Driver: C:\Users\Dawid\AppData\Local\Temp\pxldqpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800039f1000 63 bytes [25, 88, 01, 00, 00, 8B, 88, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 625 fffff800039f1041 3 bytes [49, 8B, 7F] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880047c0d64 12 bytes {MOV RAX, 0xfffffa80049292a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001002e00ac .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001002e004c .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001002e010c .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001002e016c .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001002e01cc .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\wininit.exe[440] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001003c00ac .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001003c004c .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001003c010c .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001003c016c .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001003c01cc .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\services.exe[500] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001d00ac .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001001d004c .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001001d010c .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001001d016c .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001d01cc .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001700ac .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010017004c .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010017010c .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010017016c .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001701cc .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\lsm.exe[520] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001800ac .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010018004c .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010018010c .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010018016c .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001801cc .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001002900ac .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010029004c .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010029010c .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010029016c .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001002901cc .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001e00ac .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001001e004c .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001001e010c .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001001e016c .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001e01cc .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\nvvsvc.exe[748] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001b00a8 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001b00e4 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001001b0120 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001001b0030 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001001b006c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001002301d4 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001002300e4 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100230120 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010023015c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100230198 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100230030 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 5 bytes JMP 000000010023006c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001002300a8 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 0000000100240030 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 000000010024006c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001002400e4 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001002400a8 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[772] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 0000000100240120 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001000e00ac .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001000e004c .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001000e010c .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001000e016c .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001000e01cc .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001000a00ac .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001000a004c .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001000a010c .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001000a016c .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001000a01cc .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001a00ac .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001001a004c .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001001a010c .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001001a016c .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001a01cc .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001003800ac .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010038004c .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010038010c .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010038016c .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001003801cc .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001003800ac .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010038004c .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010038010c .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010038016c .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001003801cc .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001100ac .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010011004c .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010011010c .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010011016c .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001101cc .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001d00ac .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001001d004c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001001d010c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001001d016c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001d01cc .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1200] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001a00ac .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001001a004c .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001001a010c .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001001a016c .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001a01cc .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001c00a8 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001c00e4 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001001c0120 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001001c0030 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001001c006c .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 0000000100240030 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 000000010024006c .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001002400e4 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001002400a8 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 0000000100240120 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001002501d4 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001002500e4 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100250120 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010025015c .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100250198 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100250030 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 3 bytes JMP 000000010025006c .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 4 00000000758c58a3 1 byte [8A] .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1272] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001002500a8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001c00a8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001c00e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001001c0120 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001001c0030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001001c006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001002401d4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001002400e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100240120 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010024015c .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100240198 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100240030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 5 bytes JMP 000000010024006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001002400a8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 0000000100250030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 000000010025006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001002500e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001002500a8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1316] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 0000000100250120 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001c00a8 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001c00e4 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001001c0120 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001001c0030 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001001c006c .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 0000000100240030 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 000000010024006c .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001002400e4 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001002400a8 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 0000000100240120 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001002501d4 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001002500e4 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100250120 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010025015c .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100250198 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100250030 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 3 bytes JMP 000000010025006c .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 4 00000000758c58a3 1 byte [8A] .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1352] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001002500a8 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001002000ac .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010020004c .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010020010c .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010020016c .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001002001cc .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\Dwm.exe[1676] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001003300ac .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010033004c .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010033010c .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010033016c .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001003301cc .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\Explorer.EXE[1700] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001002100ac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010021004c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010021010c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010021016c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001002101cc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1856] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001004000ac .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010040004c .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010040010c .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010040016c .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001004001cc .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Program Files\Elantech\ETDCtrl.exe[1896] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001c00a8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001c00e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001001c0120 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001001c0030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001001c006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 00000001001d0030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 00000001001d006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001001d00e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001001d00a8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 00000001001d0120 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001001e01d4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001001e00e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 00000001001e0120 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 00000001001e015c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 00000001001e0198 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 00000001001e0030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 5 bytes JMP 00000001001e006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1944] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001001e00a8 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001005700ac .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010057004c .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010057010c .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010057016c .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001005701cc .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1956] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001002300ac .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010023004c .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010023010c .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010023016c .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001002301cc .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\WindowsMobile\wmdcBase.exe[1964] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001c00a8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001c00e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001001c0120 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001001c0030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001001c006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 0000000100240030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 000000010024006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001002400e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001002400a8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 0000000100240120 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001002501d4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001002500e4 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100250120 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010025015c .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100250198 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100250030 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 3 bytes JMP 000000010025006c .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 4 00000000758c58a3 1 byte [8A] .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[1972] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001002500a8 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001003d00a8 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001003d00e4 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001003d0120 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001003d0030 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001003d006c .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001008d01d4 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001008d00e4 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 00000001008d0120 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 00000001008d015c .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 00000001008d0198 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 00000001008d0030 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 5 bytes JMP 00000001008d006c .text C:\Program Files\GG\gg.exe[1980] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001008d00a8 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\syswow64\user32.DLL!SetWinEventHook 00000000757dee09 5 bytes JMP 00000001008e0030 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 00000000757e3982 5 bytes JMP 00000001008e006c .text C:\Program Files\GG\gg.exe[1980] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001008e00e4 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001008e00a8 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 00000001008e0120 .text C:\Program Files\GG\gg.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files\GG\gg.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001900ac .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010019004c .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010019010c .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010019016c .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001901cc .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\System32\spoolsv.exe[3092] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001100ac .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010011004c .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010011010c .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010011016c .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001101cc .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\taskhost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001800ac .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010018004c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010018010c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010018016c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001801cc .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001900a8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001900e4 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 0000000100190120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 0000000100190030 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 000000010019006c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 00000001001a0030 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 00000001001a006c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001001a00e4 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001001a00a8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 00000001001a0120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001002601d4 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001002600e4 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100260120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010026015c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100260198 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100260030 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 5 bytes JMP 000000010026006c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3604] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001002600a8 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001a00ac .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001001a004c .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001001a010c .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001001a016c .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001a01cc .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[3668] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001000700a8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001000700e4 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 0000000100070120 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 0000000100070030 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 000000010007006c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001001001d4 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001001000e4 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100100120 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010010015c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100100198 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100100030 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 5 bytes JMP 000000010010006c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001001000a8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 0000000100110030 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 000000010011006c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001001100e4 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001001100a8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3968] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 0000000100110120 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001004200ac .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010042004c .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010042010c .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010042016c .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001004201cc .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001300ac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010013004c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010013010c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010013016c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001301cc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4088] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001700ac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010017004c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010017010c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010017016c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001701cc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3812] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001c00a8 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001c00e4 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001001c0120 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001001c0030 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001001c006c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 0000000100240030 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 000000010024006c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001002400e4 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001002400a8 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 0000000100240120 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001002601d4 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001002600e4 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100260120 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010026015c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100260198 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100260030 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 5 bytes JMP 000000010026006c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3448] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001002600a8 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001003700ac .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010037004c .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010037010c .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010037016c .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001003701cc .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001003700ac .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010037004c .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010037010c .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010037016c .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001003701cc .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\SearchIndexer.exe[2620] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001b00ac .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 00000001001b004c .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 00000001001b010c .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 00000001001b016c .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001b01cc .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\system32\svchost.exe[2956] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001002100ac .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010021004c .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010021010c .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010021016c .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001002101cc .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\System32\svchost.exe[4376] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001001600ac .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010016004c .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010016010c .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010016016c .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001001601cc .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\DllHost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001000900a8 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001000900e4 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 0000000100090120 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 0000000100090030 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 000000010009006c .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 0000000100110030 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 000000010011006c .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001001100e4 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001001100a8 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 0000000100110120 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758c5181 5 bytes JMP 00000001001201d4 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758c5254 5 bytes JMP 00000001001200e4 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758c53d5 5 bytes JMP 0000000100120120 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758c54c2 5 bytes JMP 000000010012015c .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758c55e2 5 bytes JMP 0000000100120198 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758c567c 5 bytes JMP 0000000100120030 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758c589f 5 bytes JMP 000000010012006c .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4788] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758c5a22 5 bytes JMP 00000001001200a8 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a23ae0 5 bytes JMP 00000001002600ac .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a27a90 5 bytes JMP 000000010026004c .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a513c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a51410 5 bytes JMP 0000000077bb0370 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a51490 5 bytes JMP 000000010026010c .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a514f0 5 bytes JMP 000000010026016c .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a515c0 5 bytes JMP 0000000077bb0390 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51680 5 bytes JMP 0000000077bb0320 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a51710 5 bytes JMP 0000000077bb02e0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51790 5 bytes JMP 0000000077bb02d0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a517b0 5 bytes JMP 0000000077bb0310 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a51810 5 bytes JMP 00000001002601cc .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a519a0 1 byte JMP 0000000077bb0230 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b60 5 bytes JMP 0000000077bb03a0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c70 5 bytes JMP 0000000077bb02f0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c80 5 bytes JMP 0000000077bb0350 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51ce0 5 bytes JMP 0000000077bb0290 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d70 5 bytes JMP 0000000077bb02b0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51da0 1 byte JMP 0000000077bb0330 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51e40 5 bytes JMP 0000000077bb0240 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a52100 5 bytes JMP 0000000077bb01e0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a521c0 1 byte JMP 0000000077bb0250 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a521f0 5 bytes JMP 0000000077bb03b0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a52200 5 bytes JMP 0000000077bb03c0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a52230 5 bytes JMP 0000000077bb0300 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a52240 5 bytes JMP 0000000077bb0360 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a522a0 5 bytes JMP 0000000077bb02a0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a522f0 5 bytes JMP 0000000077bb02c0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a52330 5 bytes JMP 0000000077bb0340 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a52820 5 bytes JMP 0000000077bb0260 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a52830 5 bytes JMP 0000000077bb0270 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a52a00 5 bytes JMP 0000000077bb01f0 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a52a10 5 bytes JMP 0000000077bb0210 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a80 5 bytes JMP 0000000077bb0200 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52b00 5 bytes JMP 0000000077bb0220 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52be0 5 bytes JMP 0000000077bb0280 .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffcf6e00 5 bytes JMP 000007ff7fd102ec .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffcf6f2c 5 bytes JMP 000007ff7fd1016c .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffcf7220 5 bytes JMP 000007ff7fd101cc .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffcf739c 1 byte JMP 000007ff7fd1022c .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A + 2 000007feffcf739e 3 bytes {JMP 0xffffffff80018e90} .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffcf7538 5 bytes JMP 000007ff7fd1028c .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffcf75e8 5 bytes JMP 000007ff7fd1004c .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffcf790c 5 bytes JMP 000007ff7fd100ac .text C:\Windows\System32\svchost.exe[4816] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffcf7ab4 5 bytes JMP 000007ff7fd1010c .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bffaa0 5 bytes JMP 00000001001c00a8 .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bffb38 5 bytes JMP 00000001001c00e4 .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c00018 5 bytes JMP 00000001001c0120 .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c1c45a 5 bytes JMP 00000001001c0030 .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c21217 5 bytes JMP 00000001001c006c .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757dee09 5 bytes JMP 00000001002b0030 .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757e3982 5 bytes JMP 00000001002b006c .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757e7603 5 bytes JMP 00000001002b00e4 .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757e835c 5 bytes JMP 00000001002b00a8 .text C:\Users\Dawid\Desktop\rr5qwnvl.exe[2716] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757ff52b 5 bytes JMP 00000001002b0120 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800103cf1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800103ccc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800103d69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800103da98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800103d8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8003fd52c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800497a2c0 Device \Driver\nvstor64 \Device\00000070 fffffa8003fd12c0 Device \Driver\nvstor64 \Device\RaidPort0 fffffa8003fd12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{709B9FB9-2180-43A3-BBB3-B632B627DBC8} fffffa800487b2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80047602c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{BAC1A701-B718-4087-B67E-24A028C82478} fffffa800487b2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80049482c0 Device \Driver\nvstor64 \Device\00000071 fffffa8003fd12c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800497a2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800487b2c0 Device \Driver\nvstor64 \Device\ScsiPort0 fffffa8003fd12c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80049482c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003fd12c0]<< sptd.sys storport.sys hal.dll nvstor64.sys fffffa8003fd12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e1620] fffffa80045e1620 Trace 3 CLASSPNP.SYS[fffff880017b943f] -> nt!IofCallDriver -> [0xfffffa80047afe40] fffffa80047afe40 Trace 5 ACPI.sys[fffff8800118c7a1] -> nt!IofCallDriver -> \Device\00000070[0xfffffa800448f9c0] fffffa800448f9c0 Trace \Driver\nvstor64[0xfffffa8004486c80] -> IRP_MJ_CREATE -> 0xfffffa8003fd12c0 fffffa8003fd12c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE0 0xBB 0xCF 0x31 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA0 0xF9 0xBD 0xEA ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8F 0x20 0x9A 0xC5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD7 0x7C 0x97 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD7 0x7C 0x97 0xBE ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA0 0xF9 0xBD 0xEA ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x76 0xC3 0xB5 0x25 ... ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.1 ----