GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-21 19:35:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1002FAEX-00Z3A0 rev.05.01D05 931.51GB Running: 1zlxryz0.exe; Driver: C:\Users\Chronos\AppData\Local\Temp\axtiafog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033b0000 45 bytes [00, 00, 2F, 00, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033b002f 17 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770a1360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770a1560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076e36ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076e38184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SetParent 0000000076e38530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!PostMessageA 0000000076e3a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!EnableWindow 0000000076e3aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!MoveWindow 0000000076e3aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076e3c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076e3cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076e3d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendMessageA 0000000076e3d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076e3dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076e3f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076e3f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076e3fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076e40b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076e44d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!GetKeyState 0000000076e45010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076e45438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendMessageW 0000000076e46b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!PostMessageW 0000000076e476e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076e4dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076e4e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076e4f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076e528e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!mouse_event 0000000076e53894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076e58a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076e58be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076e58c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendInput 0000000076e58cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!BlockInput 0000000076e5ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076e814e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!keybd_event 0000000076ea45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076eacc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076eadf18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770a1360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770a1560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe0c4750 5 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076e36ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076e38184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SetParent 0000000076e38530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!PostMessageA 0000000076e3a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!EnableWindow 0000000076e3aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!MoveWindow 0000000076e3aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076e3c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076e3cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076e3d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendMessageA 0000000076e3d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076e3dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076e3f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076e3f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076e3fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076e40b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076e44d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!GetKeyState 0000000076e45010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076e45438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendMessageW 0000000076e46b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!PostMessageW 0000000076e476e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076e4dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076e4e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076e4f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076e528e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!mouse_event 0000000076e53894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076e58a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076e58be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076e58c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendInput 0000000076e58cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!BlockInput 0000000076e5ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076e814e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!keybd_event 0000000076ea45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076eacc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076eadf18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0378 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe0c4750 5 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0378 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe0c4750 5 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0378 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe0c4750 5 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0378 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1292] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\nvvsvc.exe[1300] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe0c4750 5 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0378 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Windows\system32\svchost.exe[1564] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007724ffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077250004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077250007 2 bytes [DE, 98] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772500b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772503b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077250550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772508a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007726c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077271287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007552103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075521072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007554c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074cef776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b98bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b990d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b997d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b9ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b9efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076ba291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SetParent 0000000076ba2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076ba2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076ba3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076ba3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076ba6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ba7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ba7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076ba76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076ba781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ba835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076bac4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076bbc112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076bbd0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076bbeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076bbec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076bd9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076be1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076bf6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076bf6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076bf7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076bf88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752658b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075265ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075267bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007526b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007526c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007526cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007526e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007529480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1828] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a02642 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\Dwm.exe[1916] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076e36ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076e38184 7 bytes JMP 000000016fff0880 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SetParent 0000000076e38530 8 bytes JMP 000000016fff0730 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!PostMessageA 0000000076e3a404 5 bytes JMP 000000016fff0308 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!EnableWindow 0000000076e3aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!MoveWindow 0000000076e3aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076e3c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076e3cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076e3d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendMessageA 0000000076e3d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076e3dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076e3f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076e3f874 9 bytes JMP 000000016fff0298 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076e3fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076e40b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076e44d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!GetKeyState 0000000076e45010 5 bytes JMP 000000016fff0688 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076e45438 7 bytes JMP 000000016fff0500 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendMessageW 0000000076e46b50 5 bytes JMP 000000016fff0420 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!PostMessageW 0000000076e476e4 7 bytes JMP 000000016fff0340 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076e4dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076e4e874 5 bytes JMP 000000016fff0810 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076e4f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076e528e4 12 bytes JMP 000000016fff0538 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!mouse_event 0000000076e53894 7 bytes JMP 000000016fff0228 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076e58a10 8 bytes JMP 000000016fff0650 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076e58be0 12 bytes JMP 000000016fff0458 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076e58c20 12 bytes JMP 000000016fff0260 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendInput 0000000076e58cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!BlockInput 0000000076e5ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076e814e0 5 bytes JMP 000000016fff0928 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!keybd_event 0000000076ea45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076eacc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\Explorer.EXE[1940] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076eadf18 7 bytes JMP 000000016fff04c8 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Program Files\cFosSpeed\spd.exe[744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9e0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fcb0 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fd64 5 bytes JMP 000000011002e100 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fdc8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fec0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007724ffa4 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077250004 2 bytes JMP 0000000110030080 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077250007 2 bytes [DE, 98] .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250084 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772500b4 5 bytes JMP 000000011002e400 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772503b8 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077250550 5 bytes JMP 000000011002b670 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250694 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725088c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772508a4 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250df4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250ed8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251be4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251cb4 5 bytes JMP 000000011002c670 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d8c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007726c4dd 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077271287 7 bytes JMP 000000011001d240 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007552103d 5 bytes JMP 0000000110025070 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075521072 5 bytes JMP 0000000110025c00 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007554c965 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074cef776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b98bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b990d3 7 bytes JMP 000000011001c470 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b997d2 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b9ee09 5 bytes JMP 000000011001c160 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b9efc9 5 bytes JMP 0000000110018140 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076ba291f 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetParent 0000000076ba2d64 5 bytes JMP 0000000110018980 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076ba2da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076ba3698 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076ba3c61 5 bytes JMP 000000011001b980 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 5 bytes JMP 000000011001b440 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076ba6c30 7 bytes JMP 000000011001c690 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ba7603 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ba7668 5 bytes JMP 000000011001a160 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076ba76e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076ba781f 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ba835c 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076bac4b6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076bbc112 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076bbd0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076bbeb96 5 bytes JMP 0000000110019120 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076bbec68 5 bytes JMP 0000000110019680 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 5 bytes JMP 0000000110019930 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076bd9f1d 5 bytes JMP 0000000110018370 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076be1497 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076bf6cfc 5 bytes JMP 000000011001a960 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076bf6d5d 5 bytes JMP 000000011001a400 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076bf7dd7 5 bytes JMP 0000000110018580 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076bf88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752658b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075265ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075267bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007526b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007526c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007526cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007526e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007529480f 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a02642 5 bytes JMP 00000001100244d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072771a22 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072771ad0 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072771b08 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072771bba 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072771bda 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e11465 2 bytes [E1, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e114bb 2 bytes [E1, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9e0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fcb0 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fd64 5 bytes JMP 000000011002e100 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fdc8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fec0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007724ffa4 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077250004 2 bytes JMP 0000000110030080 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077250007 2 bytes [DE, 98] .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250084 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772500b4 5 bytes JMP 000000011002e400 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772503b8 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077250550 5 bytes JMP 000000011002b670 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250694 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725088c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772508a4 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250df4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250ed8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251be4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251cb4 5 bytes JMP 000000011002c670 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d8c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007726c4dd 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077271287 7 bytes JMP 000000011001d240 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007552103d 5 bytes JMP 0000000110025070 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075521072 5 bytes JMP 0000000110025c00 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007554c965 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074cef776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b98bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b990d3 7 bytes JMP 000000011001c470 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b997d2 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b9ee09 5 bytes JMP 000000011001c160 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b9efc9 5 bytes JMP 0000000110018140 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076ba291f 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SetParent 0000000076ba2d64 5 bytes JMP 0000000110018980 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076ba2da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076ba3698 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076ba3c61 5 bytes JMP 000000011001b980 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 5 bytes JMP 000000011001b440 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076ba6c30 7 bytes JMP 000000011001c690 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ba7603 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ba7668 5 bytes JMP 000000011001a160 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076ba76e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076ba781f 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ba835c 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076bac4b6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076bbc112 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076bbd0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076bbeb96 5 bytes JMP 0000000110019120 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076bbec68 5 bytes JMP 0000000110019680 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 5 bytes JMP 0000000110019930 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076bd9f1d 5 bytes JMP 0000000110018370 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076be1497 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076bf6cfc 5 bytes JMP 000000011001a960 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076bf6d5d 5 bytes JMP 000000011001a400 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076bf7dd7 5 bytes JMP 0000000110018580 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076bf88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752658b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075265ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075267bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007526b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007526c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007526cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007526e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007529480f 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a02642 5 bytes JMP 00000001100244d0 .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072771a22 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072771ad0 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072771b08 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072771bba 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072771bda 2 bytes [77, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076e11465 2 bytes [E1, 76] .text C:\Windows\SysWOW64\PnkBstrB.exe[2120] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076e114bb 2 bytes [E1, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd27a6f0 1 byte JMP 000007fffcdd0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefd27a6f2 5 bytes {JMP 0xffffffffffb55a90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\SearchIndexer.exe[2608] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2404] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3768] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3768] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3768] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\AUDIODG.EXE[4704] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\taskhost.exe[2796] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\notepad.exe[3808] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\notepad.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\system32\notepad.exe[472] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\notepad.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\notepad.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\notepad.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\notepad.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\notepad.exe[580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\notepad.exe[580] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\notepad.exe[580] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\notepad.exe[580] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\notepad.exe[580] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\notepad.exe[580] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\notepad.exe[580] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\notepad.exe[580] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\notepad.exe[580] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\notepad.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd0260 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0298 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd02d0 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd0340 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077073b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077077ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a13a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a1570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a15e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a16c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770a1750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a1790 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770a17e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770a19f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770a1b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770a1bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770a1d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a20a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770a2130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a29a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770a2a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f3a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f51b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fc8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf353c0 7 bytes JMP 000007fffcdd0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefda322d0 5 bytes JMP 000007fffcdd02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\GDI32.dll!BitBlt 000007fefda324b8 5 bytes JMP 000007fffcdd0308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefda35be0 5 bytes JMP 000007fffcdd0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefda38384 9 bytes JMP 000007fffcdd01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefda389c4 9 bytes JMP 000007fffcdd01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\GDI32.dll!GetPixel 000007fefda3933c 5 bytes JMP 000007fffcdd0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefda3b9e8 5 bytes JMP 000007fffcdd03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4008] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefda3c8b0 5 bytes JMP 000007fffcdd0378 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9e0 5 bytes JMP 000000011001d120 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fcb0 5 bytes JMP 000000011002fc20 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fd64 5 bytes JMP 000000011002e100 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fdc8 5 bytes JMP 000000011002ed90 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fec0 5 bytes JMP 000000011002c3c0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007724ffa4 5 bytes JMP 000000011002e7a0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077250004 2 bytes JMP 0000000110030080 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077250007 2 bytes [DE, 98] .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250084 5 bytes JMP 000000011002fe40 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772500b4 5 bytes JMP 000000011002e400 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772503b8 5 bytes JMP 000000011002cde0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077250550 5 bytes JMP 000000011002b670 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250694 5 bytes JMP 000000011002f8b0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725088c 5 bytes JMP 000000011002bfe0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772508a4 5 bytes JMP 000000011002ca40 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250df4 5 bytes JMP 000000011002f6a0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250ed8 5 bytes JMP 000000011002f220 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251be4 5 bytes JMP 000000011002f460 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251cb4 5 bytes JMP 000000011002c670 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d8c 5 bytes JMP 000000011002f020 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007726c4dd 5 bytes JMP 0000000110027f40 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077271287 7 bytes JMP 000000011001d240 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007552103d 5 bytes JMP 0000000110025070 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075521072 5 bytes JMP 0000000110025c00 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007554c965 5 bytes JMP 0000000110023ba0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074cef776 5 bytes JMP 000000011001d270 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b98bff 5 bytes JMP 000000011001b6e0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b990d3 7 bytes JMP 000000011001c470 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 5 bytes JMP 000000011001b1a0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b997d2 5 bytes JMP 000000011001ac20 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b9ee09 5 bytes JMP 000000011001c160 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b9efc9 5 bytes JMP 0000000110018140 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 5 bytes JMP 000000011001bc20 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076ba291f 5 bytes JMP 00000001100193d0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SetParent 0000000076ba2d64 5 bytes JMP 0000000110018980 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076ba2da4 5 bytes JMP 0000000110017ea0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076ba3698 5 bytes JMP 0000000110018c20 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 5 bytes JMP 000000011001bec0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076ba3c61 5 bytes JMP 000000011001b980 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 5 bytes JMP 000000011001b440 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076ba6c30 7 bytes JMP 000000011001c690 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ba7603 5 bytes JMP 000000011001c8b0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ba7668 5 bytes JMP 000000011001a160 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076ba76e0 5 bytes JMP 000000011001a6a0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076ba781f 5 bytes JMP 000000011001aee0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ba835c 5 bytes JMP 000000011001cb20 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076bac4b6 5 bytes JMP 0000000110018780 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076bbc112 5 bytes JMP 0000000110019eb0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076bbd0f5 5 bytes JMP 0000000110019c00 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076bbeb96 5 bytes JMP 0000000110019120 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076bbec68 5 bytes JMP 0000000110019680 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 5 bytes JMP 0000000110019930 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076bd9f1d 5 bytes JMP 0000000110018370 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076be1497 5 bytes JMP 0000000110017c90 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 5 bytes JMP 00000001100297c0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 5 bytes JMP 00000001100299d0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076bf6cfc 5 bytes JMP 000000011001a960 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076bf6d5d 5 bytes JMP 000000011001a400 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076bf7dd7 5 bytes JMP 0000000110018580 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076bf88eb 5 bytes JMP 0000000110018f00 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752658b3 5 bytes JMP 0000000110028d10 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075265ea6 5 bytes JMP 0000000110029530 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075267bcc 5 bytes JMP 0000000110029e10 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007526b895 5 bytes JMP 0000000110028d50 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007526c332 5 bytes JMP 0000000110029280 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007526cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007526e743 5 bytes JMP 0000000110029d10 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007529480f 5 bytes JMP 0000000110028ff0 .text C:\Users\Chronos\Downloads\1zlxryz0.exe[4248] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a02642 5 bytes JMP 00000001100244d0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef348741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef3485f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef3485674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef3485e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef3487f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef3486a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef3486ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef3487b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef3487ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef34878b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef3484fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef3485d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2228] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef3487584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- EOF - GMER 2.1 ----