GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-25 14:14:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: ru93f23h.exe; Driver: C:\Users\ark\AppData\Local\Temp\uxriapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031ac000 63 bytes [4C, 89, 68, C8, BF, 02, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 593 fffff800031ac041 12 bytes [48, BD, FF, FF, FF, FF, 0F, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077451360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077451560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000771e6ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000771e8184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetParent 00000000771e8530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!PostMessageA 00000000771ea404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!EnableWindow 00000000771eaaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!MoveWindow 00000000771eaad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000771ec720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000771ecd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000771ed2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageA 00000000771ed338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000771edc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000771ef510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000771ef874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000771efac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000771f0b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000771f4d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!GetKeyState 00000000771f5010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000771f5438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageW 00000000771f6b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!PostMessageW 00000000771f76e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000771fdd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!GetClipboardData 00000000771fe874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000771ff780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772028e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!mouse_event 0000000077203894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077208a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077208be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077208c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendInput 0000000077208cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!BlockInput 000000007720ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772314e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!keybd_event 00000000772545a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007725cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007725df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\csrss.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077451360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077451560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd644750 5 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000771e6ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000771e8184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetParent 00000000771e8530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostMessageA 00000000771ea404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!EnableWindow 00000000771eaaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!MoveWindow 00000000771eaad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000771ec720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000771ecd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000771ed2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageA 00000000771ed338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000771edc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000771ef510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000771ef874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000771efac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000771f0b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000771f4d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetKeyState 00000000771f5010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000771f5438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageW 00000000771f6b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostMessageW 00000000771f76e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000771fdd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetClipboardData 00000000771fe874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000771ff780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772028e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!mouse_event 0000000077203894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077208a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077208be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077208c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendInput 0000000077208cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!BlockInput 000000007720ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772314e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!keybd_event 00000000772545a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007725cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007725df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd150228 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150378 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\lsm.exe[740] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd644750 5 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150378 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd644750 5 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150378 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd644750 5 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150378 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1484] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\nvvsvc.exe[1492] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\WLANExt.exe[1556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\conhost.exe[1564] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\System32\spoolsv.exe[1652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd644750 5 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150378 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\system32\taskhost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef781dc88 5 bytes JMP 000007fff77f00d8 .text C:\Windows\system32\Dwm.exe[1280] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef781de10 5 bytes JMP 000007fff77f0110 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\Explorer.EXE[1848] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[396] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[680] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2076] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007508e96b 5 bytes JMP 0000000173be15c3 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007508eba5 5 bytes JMP 0000000173be1186 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000765e8a29 5 bytes JMP 0000000173be1726 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000765f4572 5 bytes JMP 0000000173be10a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007660e567 5 bytes JMP 0000000173be1415 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076647a5c 5 bytes JMP 0000000173be15d2 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2168] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2204] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2300] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd1503b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150378 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[2656] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2700] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2800] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2836] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Windows\system32\taskeng.exe[124] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Windows\system32\taskeng.exe[2280] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000010024d120 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000010025fc20 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000010025e100 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000010025ed90 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000010025c3c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000010025e7a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000100260080 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [C6, 88] .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000010025fe40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000010025e400 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000010025cde0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000010025b670 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000010025f8b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000010025bfe0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000010025ca40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000010025f6a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000010025f220 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000010025f460 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000010025c670 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000010025f020 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000100257f40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000010024d240 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000100255070 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000100255c00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000100253ba0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3064] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3048] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\wbem\wmiprvse.exe[3056] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\igfxext.exe[3224] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\igfxsrvc.exe[3252] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fef6b12460 5 bytes JMP 000007fefd2702d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3388] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef6b496b0 6 bytes JMP 000007fefd270298 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\conhost.exe[3400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[3624] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\System32\igfxtray.exe[3176] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\System32\hkcmd.exe[3484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Windows\System32\igfxpers.exe[1916] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd1503b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150378 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2948] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150308 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150340 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd1503b0 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150378 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Program Files\Elantech\ETDCtrl.exe[4148] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007508e96b 5 bytes JMP 0000000173be15c3 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007508eba5 5 bytes JMP 0000000173be1186 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000765e8a29 5 bytes JMP 0000000173be1726 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000765f4572 5 bytes JMP 0000000173be10a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007660e567 5 bytes JMP 0000000173be1415 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076647a5c 5 bytes JMP 0000000173be15d2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4324] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Windows\SysWOW64\RunDll32.exe[4640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000765e8a29 5 bytes JMP 0000000173be1726 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000765f4572 5 bytes JMP 0000000173be10a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007660e567 5 bytes JMP 0000000173be1415 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076647a5c 5 bytes JMP 0000000173be15d2 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007508e96b 5 bytes JMP 0000000173be15c3 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007508eba5 5 bytes JMP 0000000173be1186 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4684] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007508e96b 5 bytes JMP 0000000173be15c3 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007508eba5 5 bytes JMP 0000000173be1186 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000765e8a29 5 bytes JMP 0000000173be1726 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000765f4572 5 bytes JMP 0000000173be10a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007660e567 5 bytes JMP 0000000173be1415 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076647a5c 5 bytes JMP 0000000173be15d2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4728] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007508e96b 5 bytes JMP 0000000173be15c3 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007508eba5 5 bytes JMP 0000000173be1186 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000765e8a29 5 bytes JMP 0000000173be1726 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000765f4572 5 bytes JMP 0000000173be10a0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007660e567 5 bytes JMP 0000000173be1415 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076647a5c 5 bytes JMP 0000000173be15d2 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4840] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000765e8a29 5 bytes JMP 0000000173be1726 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000765f4572 5 bytes JMP 0000000173be10a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007660e567 5 bytes JMP 0000000173be1415 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076647a5c 5 bytes JMP 0000000173be15d2 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007508e96b 5 bytes JMP 0000000173be15c3 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007508eba5 5 bytes JMP 0000000173be1186 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007508e96b 5 bytes JMP 0000000173be15c3 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007508eba5 5 bytes JMP 0000000173be1186 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000765e8a29 5 bytes JMP 0000000173be1726 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000765f4572 5 bytes JMP 0000000173be10a0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007660e567 5 bytes JMP 0000000173be1415 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076647a5c 5 bytes JMP 0000000173be15d2 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[5020] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[4128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016ffe0110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016ffe0d50 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 3 bytes JMP 000000016ffe00d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 4 00000000774513a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 3 bytes JMP 000000016ffe0a78 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 0000000077451574 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 3 bytes JMP 000000016ffe0c00 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 4 00000000774515e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 3 bytes JMP 000000016ffe0b90 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 0000000077451624 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 3 bytes JMP 000000016ffe0c38 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774516c4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 3 bytes JMP 000000016ffe0b58 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 0000000077451754 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 3 bytes JMP 000000016ffe0998 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 0000000077451794 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 3 bytes JMP 000000016ffe09d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774517e4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 3 bytes JMP 000000016ffe0bc8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 4 0000000077451804 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 3 bytes JMP 000000016ffe0d18 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 4 00000000774519f4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 3 bytes JMP 000000016ffe0960 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077451b04 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 3 bytes JMP 000000016ffe0ab0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 4 0000000077451bd4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 3 bytes JMP 000000016ffe0c70 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077451d24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 3 bytes JMP 000000016ffe0ce0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 0000000077451d34 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 3 bytes JMP 000000016ffe0ae8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774520a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 3 bytes JMP 000000016ffe0ca8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 4 0000000077452134 4 bytes {JMP 0xffffffffffffffba} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 3 bytes JMP 000000016ffe0b20 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774529a4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 3 bytes JMP 000000016ffe0a08 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 0000000077452a24 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 3 bytes JMP 000000016ffe0a40 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 0000000077452aa4 4 bytes [F8, CC, CC, CC] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016ffe01b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000772eaf40 7 bytes JMP 000000016fff0260 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000772f4a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016ffe0148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077312990 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007731efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773499b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773594d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077359640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016ffe0180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007737a500 7 bytes JMP 000000016fff0228 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd1502d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150308 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd150340 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd1503b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4428] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150378 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefea9a6f0 1 byte JMP 000007fffd150180 .text C:\Windows\System32\svchost.exe[4340] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefea9a6f2 5 bytes {JMP 0xfffffffffe6b5a90} .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd288ef0 6 bytes JMP 000007fffd270148 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd29af60 5 bytes JMP 000007fffd270110 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff0d7490 11 bytes JMP 000007fffd270228 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff0ebf00 7 bytes JMP 000007fffd270260 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefebd89e0 8 bytes JMP 000007fffd2701f0 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefebdbe40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\system32\wbem\unsecapp.exe[1592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\DllHost.exe[5616] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 00000001002ad120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 00000001002bfc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 00000001002be100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 00000001002bed90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 00000001002bc3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 00000001002be7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 00000001002c0080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [CC, 88] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 00000001002bfe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 00000001002be400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 00000001002bcde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 00000001002bb670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 00000001002bf8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 00000001002bbfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 00000001002bca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 00000001002bf6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 00000001002bf220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 00000001002bf460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 00000001002bc670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 00000001002bf020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 00000001002b7f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 00000001002ad240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 00000001002b5070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 00000001002b5c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 00000001002b3ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 00000001002ad270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001002b44d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 00000001002ab6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 00000001002ac470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 00000001002ab1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 00000001002aac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 00000001002ac160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 00000001002a8140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 00000001002abc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001002a93d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 00000001002a8980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 00000001002a7ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 00000001002a8c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 00000001002abec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 00000001002ab980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 00000001002ab440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 00000001002ac690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 00000001002ac8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 00000001002aa160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 00000001002aa6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 00000001002aaee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 00000001002acb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 00000001002a8780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 00000001002a9eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 00000001002a9c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 00000001002a9120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 00000001002a9680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 00000001002a9930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 00000001002a8370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 00000001002a7c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001002b97c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001002b99d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 00000001002aa960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 00000001002aa400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 00000001002a8580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 00000001002a8f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 00000001002b8d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 00000001002b9530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 00000001002b9e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 00000001002b8d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 00000001002b9280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 00000001002b8ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 00000001002b9d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 00000001002b8ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[5232] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[2620] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077423b10 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077427ac0 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774513a0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077451570 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774515e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077451620 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774516c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077451750 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077451790 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774517e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077451800 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774519f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077451b00 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077451bd0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077451d20 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077451d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774520a0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077452130 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774529a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077452a20 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077452aa0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 00000000772ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077301b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000077378810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2953c0 7 bytes JMP 000007fffd150148 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefebd22d0 5 bytes JMP 000007fffd150260 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\GDI32.dll!BitBlt 000007fefebd24b8 5 bytes JMP 000007fffd150298 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefebd5be0 5 bytes JMP 000007fffd1502d0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefebd8384 9 bytes JMP 000007fffd1501f0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefebd89c4 9 bytes JMP 000007fffd1501b8 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\GDI32.dll!GetPixel 000007fefebd933c 5 bytes JMP 000007fffd150228 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefebdb9e8 5 bytes JMP 000007fffd150340 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefebdc8b0 5 bytes JMP 000007fffd150308 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ff9e0 5 bytes JMP 000000011001d120 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775ffcb0 5 bytes JMP 000000011002fc20 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775ffd64 5 bytes JMP 000000011002e100 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775ffdc8 5 bytes JMP 000000011002ed90 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775ffec0 5 bytes JMP 000000011002c3c0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775fffa4 5 bytes JMP 000000011002e7a0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077600004 2 bytes JMP 0000000110030080 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077600007 2 bytes [A3, 98] .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077600084 5 bytes JMP 000000011002fe40 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776000b4 5 bytes JMP 000000011002e400 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776003b8 5 bytes JMP 000000011002cde0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077600550 5 bytes JMP 000000011002b670 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077600694 5 bytes JMP 000000011002f8b0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007760088c 5 bytes JMP 000000011002bfe0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776008a4 5 bytes JMP 000000011002ca40 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077600df4 5 bytes JMP 000000011002f6a0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077600ed8 5 bytes JMP 000000011002f220 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077601be4 5 bytes JMP 000000011002f460 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077601cb4 5 bytes JMP 000000011002c670 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077601d8c 5 bytes JMP 000000011002f020 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007761c4dd 5 bytes JMP 0000000110027f40 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077621287 7 bytes JMP 000000011001d240 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000766e103d 5 bytes JMP 0000000110025070 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000766e1072 5 bytes JMP 0000000110025c00 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766e1eee 7 bytes JMP 0000000173be1695 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000766e5b85 7 bytes JMP 0000000173be11a9 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000766f13e1 7 bytes JMP 0000000173be128a .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766fea0d 7 bytes JMP 0000000173be1244 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007670b1d3 5 bytes JMP 0000000173be15aa .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007670c965 5 bytes JMP 0000000110023ba0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767888b4 7 bytes JMP 0000000173be1339 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076788939 5 bytes JMP 0000000173be16d6 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076788c8f 5 bytes JMP 0000000173be170d .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000752bf776 5 bytes JMP 000000011001d270 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752c1d1b 5 bytes JMP 0000000173be11c2 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000752c1dc9 5 bytes JMP 0000000173be1014 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752c2aa4 5 bytes JMP 0000000173be1555 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752c2d0a 5 bytes JMP 0000000173be1271 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000765e8a29 5 bytes JMP 0000000173be1726 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000765f4572 5 bytes JMP 0000000173be10a0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007660e567 5 bytes JMP 0000000173be1415 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076647a5c 5 bytes JMP 0000000173be15d2 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750758b3 5 bytes JMP 0000000110028d10 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075075ea6 5 bytes JMP 0000000110029530 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075077bcc 5 bytes JMP 0000000110029e10 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007507b895 5 bytes JMP 0000000110028d50 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007507c332 5 bytes JMP 0000000110029280 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007507cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007507e743 5 bytes JMP 0000000110029d10 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007508e96b 5 bytes JMP 0000000173be15c3 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007508eba5 5 bytes JMP 0000000173be1186 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750a480f 5 bytes JMP 0000000110028ff0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076cd2642 5 bytes JMP 00000001100244d0 .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076895ea5 5 bytes JMP 0000000173be15fa .text C:\Users\ark\Desktop\zabezpiecz kompa\ru93f23h.exe[3840] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768c9d0b 5 bytes JMP 0000000173be121c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde9ad6f0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde9ad6f0@48dcfb5d64e8 0x3F 0xB8 0x69 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df56bc03 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde9ad6f0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde9ad6f0@48dcfb5d64e8 0x3F 0xB8 0x69 0xC1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df56bc03 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CBC49FE4-4C77-486E-89A5-90635667FBB3.data 138752 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CBC49FE4-4C77-486E-89A5-90635667FBB3.data.info 136 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes ---- EOF - GMER 2.1 ----