GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-02 17:56:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005a WDC_WD25 rev.01.0 232,89GB Running: btpgoe5g.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003000000 65 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff80003000042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a91360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a91560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077946ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077948184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SetParent 0000000077948530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!PostMessageA 000000007794a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!EnableWindow 000000007794aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!MoveWindow 000000007794aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007794c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007794cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007794d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendMessageA 000000007794d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007794dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007794f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007794f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007794fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077950b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077954d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!GetKeyState 0000000077955010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077955438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendMessageW 0000000077956b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!PostMessageW 00000000779576e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007795dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!GetClipboardData 000000007795e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007795f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779628e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!mouse_event 0000000077963894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077968a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077968be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077968c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendInput 0000000077968cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!BlockInput 000000007796ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000779914e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!keybd_event 00000000779b45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000779bcc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000779bdf18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a91360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a91560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\services.exe[620] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe254750 5 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077946ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077948184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SetParent 0000000077948530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!PostMessageA 000000007794a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!EnableWindow 000000007794aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!MoveWindow 000000007794aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007794c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007794cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007794d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendMessageA 000000007794d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007794dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007794f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007794f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007794fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077950b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077954d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!GetKeyState 0000000077955010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077955438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendMessageW 0000000077956b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!PostMessageW 00000000779576e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007795dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!GetClipboardData 000000007795e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007795f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779628e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!mouse_event 0000000077963894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077968a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077968be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077968c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendInput 0000000077968cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!BlockInput 000000007796ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000779914e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!keybd_event 00000000779b45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000779bcc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000779bdf18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0378 .text C:\Windows\system32\services.exe[620] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe17a6f0 1 byte JMP 000007fffd7c0180 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefe17a6f2 5 bytes {JMP 0xffffffffff645a90} .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\lsm.exe[636] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe254750 5 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0378 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe254750 5 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0378 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe17a6f0 1 byte JMP 000007fffd7c0180 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefe17a6f2 5 bytes {JMP 0xffffffffff645a90} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe17a6f0 1 byte JMP 000007fffd7c0180 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefe17a6f2 5 bytes {JMP 0xffffffffff645a90} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe254750 5 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0378 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe17a6f0 1 byte JMP 000007fffd7c0180 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefe17a6f2 5 bytes {JMP 0xffffffffff645a90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\nvvsvc.exe[1376] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe254750 5 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0378 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe17a6f0 1 byte JMP 000007fffd7c0180 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefe17a6f2 5 bytes {JMP 0xffffffffff645a90} .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe17a6f0 1 byte JMP 000007fffd7c0180 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefe17a6f2 5 bytes {JMP 0xffffffffff645a90} .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077946ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077948184 7 bytes JMP 000000016fff0880 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SetParent 0000000077948530 8 bytes JMP 000000016fff0730 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!PostMessageA 000000007794a404 5 bytes JMP 000000016fff0308 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!EnableWindow 000000007794aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!MoveWindow 000000007794aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007794c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007794cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007794d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendMessageA 000000007794d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007794dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007794f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007794f874 9 bytes JMP 000000016fff0298 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007794fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077950b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077954d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!GetKeyState 0000000077955010 5 bytes JMP 000000016fff0688 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077955438 7 bytes JMP 000000016fff0500 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendMessageW 0000000077956b50 5 bytes JMP 000000016fff0420 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!PostMessageW 00000000779576e4 7 bytes JMP 000000016fff0340 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007795dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!GetClipboardData 000000007795e874 5 bytes JMP 000000016fff0810 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007795f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779628e4 12 bytes JMP 000000016fff0538 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!mouse_event 0000000077963894 7 bytes JMP 000000016fff0228 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077968a10 8 bytes JMP 000000016fff0650 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077968be0 12 bytes JMP 000000016fff0458 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077968c20 12 bytes JMP 000000016fff0260 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendInput 0000000077968cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!BlockInput 000000007796ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000779914e0 5 bytes JMP 000000016fff0928 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!keybd_event 00000000779b45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000779bcc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\Explorer.EXE[1772] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000779bdf18 7 bytes JMP 000000016fff04c8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000776cf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076b558b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076b55ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076b57bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076b5b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076b5c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076b5cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076b5e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076b8480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1864] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077402642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000776cf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077402642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076b558b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076b55ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076b57bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076b5b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076b5c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076b5cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076b5e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076b8480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1148] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1224] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0378 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[1416] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1512] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000776cf776 5 bytes JMP 000000011001d270 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076b558b3 5 bytes JMP 0000000110028d10 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076b55ea6 5 bytes JMP 0000000110029530 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076b57bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076b5b895 5 bytes JMP 0000000110028d50 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076b5c332 5 bytes JMP 0000000110029280 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076b5cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076b5e743 5 bytes JMP 0000000110029d10 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076b8480f 5 bytes JMP 0000000110028ff0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\V0420Mon.exe[2016] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077402642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000776cf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077402642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076b558b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076b55ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076b57bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076b5b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076b5c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076b5cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076b5e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076b8480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000776cf776 5 bytes JMP 000000011001d270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076b558b3 5 bytes JMP 0000000110028d10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076b55ea6 5 bytes JMP 0000000110029530 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076b57bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076b5b895 5 bytes JMP 0000000110028d50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076b5c332 5 bytes JMP 0000000110029280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076b5cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076b5e743 5 bytes JMP 0000000110029d10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076b8480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2100] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077402642 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3016] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0378 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[2352] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\svchost.exe[3328] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3664] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3664] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3664] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3664] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe17a6f0 1 byte JMP 000007fffd7c0180 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefe17a6f2 5 bytes {JMP 0xffffffffff645a90} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000776cf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758d1465 2 bytes [8D, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758d14bb 2 bytes [8D, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076b558b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076b55ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076b57bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076b5b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076b5c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076b5cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076b5e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076b8480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077402642 5 bytes JMP 00000001100244d0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077946ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077948184 7 bytes JMP 000000016fff0880 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SetParent 0000000077948530 8 bytes JMP 000000016fff0730 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!PostMessageA 000000007794a404 5 bytes JMP 000000016fff0308 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!EnableWindow 000000007794aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!MoveWindow 000000007794aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007794c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007794cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007794d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendMessageA 000000007794d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007794dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007794f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007794f874 9 bytes JMP 000000016fff0298 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007794fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077950b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077954d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!GetKeyState 0000000077955010 5 bytes JMP 000000016fff0688 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077955438 7 bytes JMP 000000016fff0500 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendMessageW 0000000077956b50 5 bytes JMP 000000016fff0420 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!PostMessageW 00000000779576e4 7 bytes JMP 000000016fff0340 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007795dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!GetClipboardData 000000007795e874 5 bytes JMP 000000016fff0810 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007795f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779628e4 12 bytes JMP 000000016fff0538 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!mouse_event 0000000077963894 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077968a10 8 bytes JMP 000000016fff0650 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077968be0 12 bytes JMP 000000016fff0458 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077968c20 12 bytes JMP 000000016fff0260 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendInput 0000000077968cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!BlockInput 000000007796ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000779914e0 5 bytes JMP 000000016fff0928 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!keybd_event 00000000779b45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000779bcc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000779bdf18 7 bytes JMP 000000016fff04c8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000776cf776 5 bytes JMP 000000011001d270 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076b558b3 5 bytes JMP 0000000110028d10 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076b55ea6 5 bytes JMP 0000000110029530 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076b57bcc 5 bytes JMP 0000000110029e10 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076b5b895 5 bytes JMP 0000000110028d50 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076b5c332 5 bytes JMP 0000000110029280 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076b5cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076b5e743 5 bytes JMP 0000000110029d10 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076b8480f 5 bytes JMP 0000000110028ff0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077402642 5 bytes JMP 00000001100244d0 .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000758d1465 2 bytes [8D, 75] .text C:\Users\User\Downloads\OTL.exe[3256] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000758d14bb 2 bytes [8D, 75] .text ... * 2 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\notepad.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\notepad.exe[4436] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\notepad.exe[4436] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\taskhost.exe[4376] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a63b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a67ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a913a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a91570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a915e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a91620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a916c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a91750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a91790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a917e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a91800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a919f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a91b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a91bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a91d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a91d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a920a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a92130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a929a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a92a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a92aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 000000007782a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077841b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007787eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\kernel32.dll!CreateProcessA 00000000778b8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd7c0148 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefed422d0 5 bytes JMP 000007fffd7c0260 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\GDI32.dll!BitBlt 000007fefed424b8 5 bytes JMP 000007fffd7c0298 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefed45be0 5 bytes JMP 000007fffd7c02d0 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefed48384 9 bytes JMP 000007fffd7c01f0 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefed489c4 9 bytes JMP 000007fffd7c01b8 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\GDI32.dll!GetPixel 000007fefed4933c 5 bytes JMP 000007fffd7c0228 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefed4b9e8 5 bytes JMP 000007fffd7c0340 .text C:\Windows\system32\AUDIODG.EXE[5012] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefed4c8b0 5 bytes JMP 000007fffd7c0308 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c3f9e0 5 bytes JMP 000000011001d120 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c3fcb0 5 bytes JMP 000000011002fc20 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c3fd64 5 bytes JMP 000000011002e100 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c3fdc8 5 bytes JMP 000000011002ed90 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c3fec0 5 bytes JMP 000000011002c3c0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c3ffa4 5 bytes JMP 000000011002e7a0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c40004 2 bytes JMP 0000000110030080 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077c40007 2 bytes [3F, 98] .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c40084 5 bytes JMP 000000011002fe40 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c400b4 5 bytes JMP 000000011002e400 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c403b8 5 bytes JMP 000000011002cde0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c40550 5 bytes JMP 000000011002b670 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c40694 5 bytes JMP 000000011002f8b0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c4088c 5 bytes JMP 000000011002bfe0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c408a4 5 bytes JMP 000000011002ca40 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c40df4 5 bytes JMP 000000011002f6a0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c40ed8 5 bytes JMP 000000011002f220 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c41be4 5 bytes JMP 000000011002f460 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c41cb4 5 bytes JMP 000000011002c670 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c41d8c 5 bytes JMP 000000011002f020 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c5c4dd 5 bytes JMP 0000000110027f40 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c61287 7 bytes JMP 000000011001d240 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575103d 5 bytes JMP 0000000110025070 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751072 5 bytes JMP 0000000110025c00 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2ba 1 byte [62] .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577c965 5 bytes JMP 0000000110023ba0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000776cf776 5 bytes JMP 000000011001d270 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076b558b3 5 bytes JMP 0000000110028d10 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076b55ea6 5 bytes JMP 0000000110029530 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076b57bcc 5 bytes JMP 0000000110029e10 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076b5b895 5 bytes JMP 0000000110028d50 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076b5c332 5 bytes JMP 0000000110029280 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076b5cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076b5e743 5 bytes JMP 0000000110029d10 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076b8480f 5 bytes JMP 0000000110028ff0 .text C:\Users\User\Downloads\btpgoe5g.exe[4220] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077402642 5 bytes JMP 00000001100244d0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3488:3032] 000007fef4e09688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167b3bb76 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167b3bb76 (not active ControlSet) ---- EOF - GMER 2.1 ----