GMER 2.1.18952 - http://www.gmer.net Rootkit scan 2013-02-15 18:50:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JEDO 596,17GB Running: u7guhbwz.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pgddrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c613c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c615c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000779c7640 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000779c9554 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetParent 00000000779c9870 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!PostMessageA 00000000779cca54 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!EnableWindow 00000000779cd0f0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!MoveWindow 00000000779cd120 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000779cf0c4 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000779cf690 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000779cfc50 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageA 00000000779cfcd8 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000779d03f0 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000779d1f30 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000779d2294 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000779d3464 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000779d71e8 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!GetKeyState 00000000779d78c0 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000779d8e28 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000779d8f9c 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!PostMessageW 00000000779d92d4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageW 00000000779da800 2 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageW + 3 00000000779da803 2 bytes [61, F8] .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000779e0bf8 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!GetClipboardData 00000000779e1584 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000779e2360 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779e5508 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!mouse_event 00000000779e62c4 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000779e91a0 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000779e92e0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000779e9320 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendInput 00000000779e93d0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!BlockInput 00000000779eb430 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077a116e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!keybd_event 0000000077a34474 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000077a3cc58 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000077a3dec8 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c613c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c615c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed76bd0 5 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000779c7640 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000779c9554 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetParent 00000000779c9870 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostMessageA 00000000779cca54 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!EnableWindow 00000000779cd0f0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!MoveWindow 00000000779cd120 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000779cf0c4 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000779cf690 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000779cfc50 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageA 00000000779cfcd8 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000779d03f0 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000779d1f30 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000779d2294 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000779d3464 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000779d71e8 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetKeyState 00000000779d78c0 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000779d8e28 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000779d8f9c 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostMessageW 00000000779d92d4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageW 00000000779da800 2 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageW + 3 00000000779da803 2 bytes [61, F8] .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000779e0bf8 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetClipboardData 00000000779e1584 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000779e2360 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779e5508 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!mouse_event 00000000779e62c4 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000779e91a0 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000779e92e0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000779e9320 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendInput 00000000779e93d0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!BlockInput 00000000779eb430 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077a116e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!keybd_event 0000000077a34474 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000077a3cc58 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000077a3dec8 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe000228 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000378 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffe8a1a0 7 bytes JMP 000007fffe000180 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed76bd0 5 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000378 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed76bd0 5 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000378 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffe8a1a0 7 bytes JMP 000007fffe000180 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffe8a1a0 7 bytes JMP 000007fffe000180 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\System32\svchost.exe[672] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffe8a1a0 7 bytes JMP 000007fffe000180 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed76bd0 5 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000378 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffe8a1a0 7 bytes JMP 000007fffe000180 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\nvvsvc.exe[1292] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1372] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\FBAgent.exe[1572] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffe8a1a0 7 bytes JMP 000007fffe000180 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1608] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1696] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\Explorer.EXE[1748] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\System32\spoolsv.exe[1900] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed76bd0 5 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000378 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffe8a1a0 7 bytes JMP 000007fffe000180 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\taskhost.exe[1960] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1328] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\taskeng.exe[1656] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075c858b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075c85ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075c87bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075c8b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075c8c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075c8cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075c8e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2084] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075cb4646 5 bytes JMP 0000000110028ff0 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\AsScrPro.exe[2104] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\SysWOW64\ACEngSvr.exe[2140] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2172] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2196] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\System32\igfxtray.exe[2256] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\System32\hkcmd.exe[2264] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\System32\igfxpers.exe[2276] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe0002d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000308 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000340 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe0003b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000378 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe0002d0 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000308 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000340 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe0003b0 .text C:\Program Files\Elantech\ETDCtrl.exe[2332] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000378 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe0002d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe0003b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2476] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000378 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe0002d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000308 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe000340 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe0003b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2736] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000378 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Program Files\Intel\TurboBoost\TurboBoost.exe[2424] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[2676] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2584] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000010029d120 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 00000001002afc20 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 00000001002ae100 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 00000001002aed90 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 00000001002ac3c0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 00000001002ae7a0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 00000001002b0080 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [4A, 88] .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 00000001002afe40 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 00000001002ae400 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 00000001002acde0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 00000001002ab670 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 00000001002af8b0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 00000001002abfe0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 00000001002aca40 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 00000001002af6a0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 00000001002af220 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 00000001002af460 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 00000001002ac670 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 00000001002af020 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 00000001002a7f40 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000010029d240 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 00000001002a5070 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 00000001002a5c00 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 00000001002a3ba0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000010029d270 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075c858b3 5 bytes JMP 00000001002a8d10 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075c85ea6 5 bytes JMP 00000001002a9530 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075c87bcc 5 bytes JMP 00000001002a9e10 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075c8b895 5 bytes JMP 00000001002a8d50 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075c8c332 5 bytes JMP 00000001002a9280 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075c8cbfb 5 bytes JMP 00000001002a8ae0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075c8e743 5 bytes JMP 00000001002a9d10 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2364] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075cb4646 5 bytes JMP 00000001002a8ff0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075aa2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075c858b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075c85ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075c87bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075c8b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075c8c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075c8cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075c8e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075cb4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075818e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007581cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007581d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007581d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007581f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075820f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075820f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075822902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000758235fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075823cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075823d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SetParent 0000000075823f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075823f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075824858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007582492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075828364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007582b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007582c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758306b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007583090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075832959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007583eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007583f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007583f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075840f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendInput 000000007584195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075859f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000758615ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!mouse_event 000000007587040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!keybd_event 000000007587044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075876e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075876eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075877f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2540] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075878a7b 5 bytes JMP 0000000110018f00 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\SearchIndexer.exe[3192] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007753a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077551b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075818e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007581cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007581d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007581d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007581f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075820f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075820f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075822902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000758235fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075823cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075823d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SetParent 0000000075823f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075823f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075824858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007582492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075828364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007582b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007582c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758306b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007583090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075832959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007583eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007583f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007583f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075840f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendInput 000000007584195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075859f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000758615ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!mouse_event 000000007587040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!keybd_event 000000007587044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075876e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075876eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075877f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075878a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075c858b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075c85ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075c87bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075c8b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075c8c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075c8cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075c8e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075cb4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1500] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075aa2538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c33ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c37a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c61400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c61640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c61720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c61840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077c61842 6 bytes {JMP 0xfffffffff838f190} .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c61860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c61a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c61c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c61d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c62100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c62190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c62a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe3867c0 7 bytes JMP 000007fffe000148 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9322cc 5 bytes JMP 000007fffe000260 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9324c0 5 bytes JMP 000007fffe000298 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe935be0 5 bytes JMP 000007fffe0002d0 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe938398 9 bytes JMP 000007fffe0001f0 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9389c8 9 bytes JMP 000007fffe0001b8 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe939344 5 bytes JMP 000007fffe000228 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe93b9e8 5 bytes JMP 000007fffe000340 .text C:\Windows\system32\wuauclt.exe[4080] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe945410 5 bytes JMP 000007fffe000308 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e0f9c0 5 bytes JMP 000000011001d120 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e0fc90 5 bytes JMP 000000011002fc20 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e0fd44 5 bytes JMP 000000011002e100 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e0fda8 5 bytes JMP 000000011002ed90 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077e0fea0 5 bytes JMP 000000011002c3c0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e0ff84 5 bytes JMP 000000011002e7a0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e0ffe4 2 bytes JMP 0000000110030080 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077e0ffe7 2 bytes [22, 98] .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077e10064 5 bytes JMP 000000011002fe40 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e10094 5 bytes JMP 000000011002e400 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077e10398 5 bytes JMP 000000011002cde0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077e10530 5 bytes JMP 000000011002b670 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077e10674 5 bytes JMP 000000011002f8b0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077e1086c 5 bytes JMP 000000011002bfe0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077e10884 5 bytes JMP 000000011002ca40 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e10dd4 5 bytes JMP 000000011002f6a0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077e10eb8 5 bytes JMP 000000011002f220 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077e11bc4 5 bytes JMP 000000011002f460 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077e11c94 5 bytes JMP 000000011002c670 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077e11d6c 5 bytes JMP 000000011002f020 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e2c45a 5 bytes JMP 0000000110027f40 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e31217 7 bytes JMP 000000011001d240 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076e9103d 5 bytes JMP 0000000110025070 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076e91072 5 bytes JMP 0000000110025c00 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076ebc9b5 5 bytes JMP 0000000110023ba0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f776 5 bytes JMP 000000011001d270 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075818e6e 5 bytes JMP 000000011001b6e0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007581cd35 5 bytes JMP 000000011001b1a0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007581d0da 5 bytes JMP 000000011001ac20 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007581d277 5 bytes JMP 0000000110018140 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007581f0e6 5 bytes JMP 000000011001c160 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075820f14 5 bytes JMP 000000011001bc20 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075820f9f 7 bytes JMP 000000011001c470 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075822902 5 bytes JMP 00000001100193d0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000758235fb 5 bytes JMP 0000000110018c20 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075823cbf 5 bytes JMP 000000011001bec0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075823d76 5 bytes JMP 000000011001b980 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SetParent 0000000075823f14 5 bytes JMP 0000000110018980 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075823f54 5 bytes JMP 0000000110017ea0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075824858 5 bytes JMP 0000000110019120 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007582492a 5 bytes JMP 0000000110019680 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075828364 5 bytes JMP 000000011001cb20 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007582b7e6 5 bytes JMP 0000000110018780 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007582c991 5 bytes JMP 0000000110019eb0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758306b3 5 bytes JMP 000000011001c8b0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007583090f 5 bytes JMP 000000011001a6a0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075832959 5 bytes JMP 0000000110019c00 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007583eef4 5 bytes JMP 000000011001b440 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007583f422 5 bytes JMP 000000011001aee0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007583f9b0 7 bytes JMP 000000011001c690 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075840f60 5 bytes JMP 000000011001a160 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendInput 000000007584195e 5 bytes JMP 0000000110019930 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075859f3b 5 bytes JMP 0000000110018370 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000758615ef 5 bytes JMP 0000000110017c90 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!mouse_event 000000007587040b 5 bytes JMP 00000001100297c0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!keybd_event 000000007587044f 5 bytes JMP 00000001100299d0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075876e8c 5 bytes JMP 000000011001a960 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075876eed 5 bytes JMP 000000011001a400 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075877f67 5 bytes JMP 0000000110018580 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075878a7b 5 bytes JMP 0000000110018f00 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075c858b3 5 bytes JMP 0000000110028d10 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075c85ea6 5 bytes JMP 0000000110029530 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075c87bcc 5 bytes JMP 0000000110029e10 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075c8b895 5 bytes JMP 0000000110028d50 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075c8c332 5 bytes JMP 0000000110029280 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075c8cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075c8e743 5 bytes JMP 0000000110029d10 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075cb4646 5 bytes JMP 0000000110028ff0 .text C:\Users\Admin\Desktop\u7guhbwz.exe[4720] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075aa2538 5 bytes JMP 00000001100244d0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4312:1244] 000007fefc1c2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4312:1456] 000007fef0dbd618 ---- EOF - GMER 2.1 ----