GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-28 19:09:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 WDC_____ rev.03.0 465,76GB Running: j9n9hutv.exe; Driver: C:\Users\IZA\AppData\Local\Temp\uxriipow.sys ---- User code sections - GMER 2.2 ---- .text C:\windows\system32\csrss.exe[464] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007752bde0 8 bytes JMP 000000006fff00d8 .text C:\windows\system32\csrss.exe[464] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007752bfe0 8 bytes JMP 000000006fff0110 .text C:\windows\system32\csrss.exe[464] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 000000006fff0148 .text C:\windows\system32\csrss.exe[612] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007752bde0 8 bytes JMP 000000006fff00d8 .text C:\windows\system32\csrss.exe[612] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007752bfe0 8 bytes JMP 000000006fff0110 .text C:\windows\system32\csrss.exe[612] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 000000006fff0148 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\services.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\windows\system32\services.exe[652] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\windows\system32\services.exe[652] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\services.exe[652] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\services.exe[652] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4a2930 5 bytes JMP 000007febce10358 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SwitchDesktop 00000000773e5330 7 bytes JMP 0000000037521498 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!RegisterRawInputDevices 00000000773e6ea0 8 bytes JMP 0000000037521018 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SystemParametersInfoA 00000000773e80e4 7 bytes JMP 00000000375212b8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetParent 00000000773e8480 8 bytes JMP 0000000037521078 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetWindowLongA 00000000773e9b10 6 bytes JMP 00000000375207d8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!PostMessageA 00000000773ea354 5 bytes JMP 0000000037520958 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!EnableWindow 00000000773eaa00 9 bytes JMP 0000000037521378 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!MoveWindow 00000000773eaa30 8 bytes JMP 00000000375210d8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetWindowLongPtrA 00000000773eb474 6 bytes JMP 0000000037520898 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!GetAsyncKeyState 00000000773ec63c 5 bytes JMP 0000000037520fb8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!RegisterHotKey 00000000773ecc90 8 bytes JMP 0000000037521258 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!PostThreadMessageA 00000000773ed204 5 bytes JMP 0000000037520a18 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendMessageA 00000000773ed290 5 bytes JMP 0000000037520ad8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetThreadDesktop 00000000773ed660 8 bytes JMP 000000006fff0148 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendNotifyMessageW 00000000773edbc0 9 bytes JMP 0000000037520d78 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SystemParametersInfoW 00000000773ef490 7 bytes JMP 0000000037521318 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetWindowsHookExW 00000000773ef804 9 bytes JMP 0000000037520718 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendMessageTimeoutW 00000000773efa50 9 bytes JMP 0000000037520bf8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!PostThreadMessageW 00000000773f0b14 10 bytes JMP 0000000037520a78 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetWindowLongW 00000000773f3340 8 bytes JMP 0000000037520838 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetWinEventHook 00000000773f4ccc 5 bytes JMP 0000000037520778 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!GetKeyState 00000000773f4f80 5 bytes JMP 0000000037520f58 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendMessageCallbackW 00000000773f53d0 7 bytes JMP 0000000037520cb8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendMessageW 00000000773f6b04 5 bytes JMP 0000000037520b38 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetWindowLongPtrW 00000000773f76ac 8 bytes JMP 00000000375208f8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!PostMessageW 00000000773f76d4 7 bytes JMP 00000000375209b8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendDlgItemMessageW 00000000773fdd9c 5 bytes JMP 0000000037520e38 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetClipboardData 00000000773fe43c 5 bytes JMP 000000006fff00d8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!GetClipboardData 00000000773fe854 5 bytes JMP 000000006fff0110 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetClipboardViewer 00000000773ff780 8 bytes JMP 0000000037521138 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendNotifyMessageA 00000000774028d4 12 bytes JMP 0000000037520d18 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!mouse_event 0000000077403874 7 bytes JMP 000000006fff01f0 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!GetKeyboardState 00000000774089c0 8 bytes JMP 0000000037520ef8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077408b88 12 bytes JMP 0000000037520b98 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077408bd0 12 bytes JMP 00000000375206b8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendInput 0000000077408c90 8 bytes JMP 000000006fff0180 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!BlockInput 000000007740ad10 8 bytes JMP 0000000037521198 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!ClipCursor 000000007740ad60 8 bytes JMP 0000000037521438 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!PrintWindow 000000007740b130 8 bytes JMP 000000006fff0260 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!ExitWindowsEx 0000000077431534 5 bytes JMP 00000000375213d8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SetSystemCursor 00000000774545b0 5 bytes JMP 00000000375214f8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!keybd_event 0000000077454610 7 bytes JMP 000000006fff01b8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007745cc7c 5 bytes JMP 0000000037520dd8 .text C:\windows\system32\services.exe[652] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007745df8c 7 bytes JMP 0000000037520c58 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\services.exe[652] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\lsass.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\lsass.exe[676] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\lsm.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\lsm.exe[684] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\USER32.dll!SetThreadDesktop 00000000773ed660 8 bytes JMP 000000006fff0148 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\USER32.dll!SetClipboardData 00000000773fe43c 5 bytes JMP 000000006fff00d8 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\USER32.dll!GetClipboardData 00000000773fe854 5 bytes JMP 000000006fff0110 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\USER32.dll!mouse_event 0000000077403874 7 bytes JMP 000000006fff01f0 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\USER32.dll!SendInput 0000000077408c90 8 bytes JMP 000000006fff0180 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\USER32.dll!PrintWindow 000000007740b130 8 bytes JMP 000000006fff0260 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\USER32.dll!keybd_event 0000000077454610 7 bytes JMP 000000006fff01b8 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\winlogon.exe[760] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4a2930 5 bytes JMP 000007febce10358 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[832] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4a2930 5 bytes JMP 000007febce10358 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[896] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007752beb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 1 byte JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 2 000000007752c282 6 bytes {JMP 0xfffffffff8ac3e90} .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\atiesrxx.exe[388] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\System32\svchost.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\System32\svchost.exe[460] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[600] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4a2930 5 bytes JMP 000007febce10358 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[980] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[1180] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[1180] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[1180] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[1180] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[1268] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[1268] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd9202d0 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd920148 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd920260 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd9201b8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd920110 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd9200d8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd920298 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd920180 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd9201f0 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd920228 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\atieclxx.exe[1324] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4a2930 5 bytes JMP 000007febce10358 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[1396] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd8d02d0 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd8d0148 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd8d0260 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd8d01b8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd8d0110 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd8d00d8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd8d0298 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd8d0180 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd8d01f0 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd8d0228 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\System32\spoolsv.exe[1516] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\kernel32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 71440000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1616] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd8d02d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd8d0148 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd8d0260 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd8d01b8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd8d0110 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd8d00d8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd8d0298 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd8d0180 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd8d01f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd8d0228 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1732] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1788] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\System32\svchost.exe[1924] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\System32\svchost.exe[1924] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[1956] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[1956] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd8d02d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd8d0148 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd8d0260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd8d01b8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd8d0110 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd8d00d8 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd8d0298 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd8d0180 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd8d01f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1980] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd8d0228 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 6f2c0000 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[2036] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2208] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\kernel32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 70480000 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\OLE32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe[2244] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files\SlimService\SlimServiceFactory.exe[2252] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 6f120000 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[2284] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[2332] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[2332] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[2332] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[2332] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[2332] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[2664] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\System32\WUDFHost.exe[2764] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0180 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\taskhost.exe[2872] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\taskeng.exe[2964] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\Dwm.exe[2976] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0180 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd9202d0 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd920148 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd920260 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd9201b8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd920110 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd9200d8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd920298 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd920180 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd9201f0 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd920228 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SwitchDesktop 00000000773e5330 7 bytes JMP 0000000037521498 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!RegisterRawInputDevices 00000000773e6ea0 8 bytes JMP 0000000037521018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SystemParametersInfoA 00000000773e80e4 7 bytes JMP 00000000375212b8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetParent 00000000773e8480 8 bytes JMP 0000000037521078 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetWindowLongA 00000000773e9b10 6 bytes JMP 00000000375207d8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!PostMessageA 00000000773ea354 5 bytes JMP 0000000037520958 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!EnableWindow 00000000773eaa00 9 bytes JMP 0000000037521378 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!MoveWindow 00000000773eaa30 8 bytes JMP 00000000375210d8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetWindowLongPtrA 00000000773eb474 6 bytes JMP 0000000037520898 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!GetAsyncKeyState 00000000773ec63c 5 bytes JMP 0000000037520fb8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!RegisterHotKey 00000000773ecc90 8 bytes JMP 0000000037521258 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!PostThreadMessageA 00000000773ed204 5 bytes JMP 0000000037520a18 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendMessageA 00000000773ed290 5 bytes JMP 0000000037520ad8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetThreadDesktop 00000000773ed660 8 bytes JMP 000000006fff0148 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendNotifyMessageW 00000000773edbc0 9 bytes JMP 0000000037520d78 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SystemParametersInfoW 00000000773ef490 7 bytes JMP 0000000037521318 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetWindowsHookExW 00000000773ef804 9 bytes JMP 0000000037520718 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendMessageTimeoutW 00000000773efa50 9 bytes JMP 0000000037520bf8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!PostThreadMessageW 00000000773f0b14 10 bytes JMP 0000000037520a78 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetWindowLongW 00000000773f3340 8 bytes JMP 0000000037520838 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetWinEventHook 00000000773f4ccc 5 bytes JMP 0000000037520778 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!GetKeyState 00000000773f4f80 5 bytes JMP 0000000037520f58 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendMessageCallbackW 00000000773f53d0 7 bytes JMP 0000000037520cb8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendMessageW 00000000773f6b04 5 bytes JMP 0000000037520b38 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetWindowLongPtrW 00000000773f76ac 8 bytes JMP 00000000375208f8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!PostMessageW 00000000773f76d4 7 bytes JMP 00000000375209b8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendDlgItemMessageW 00000000773fdd9c 5 bytes JMP 0000000037520e38 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetClipboardData 00000000773fe43c 5 bytes JMP 000000006fff00d8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!GetClipboardData 00000000773fe854 5 bytes JMP 000000006fff0110 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetClipboardViewer 00000000773ff780 8 bytes JMP 0000000037521138 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendNotifyMessageA 00000000774028d4 12 bytes JMP 0000000037520d18 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!mouse_event 0000000077403874 7 bytes JMP 0000000037520658 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!GetKeyboardState 00000000774089c0 8 bytes JMP 0000000037520ef8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077408b88 12 bytes JMP 0000000037520b98 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077408bd0 12 bytes JMP 00000000375206b8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendInput 0000000077408c90 8 bytes JMP 0000000037520e98 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!BlockInput 000000007740ad10 8 bytes JMP 0000000037521198 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!ClipCursor 000000007740ad60 8 bytes JMP 0000000037521438 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!PrintWindow 000000007740b130 8 bytes JMP 000000006fff01b8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!ExitWindowsEx 0000000077431534 5 bytes JMP 00000000375213d8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SetSystemCursor 00000000774545b0 5 bytes JMP 00000000375214f8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!keybd_event 0000000077454610 7 bytes JMP 00000000375205f8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007745cc7c 5 bytes JMP 0000000037520dd8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007745df8c 7 bytes JMP 0000000037520c58 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 6d1f0000 .text C:\ProgramData\DatacardService\DCSHelper.exe[2392] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3124] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007752beb0 8 bytes JMP 000000006ffe0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3124] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 000000006ffe0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3124] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 000000006ffe00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007752beb0 8 bytes JMP 000000006ffe00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd6002d0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd600148 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd600260 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd6001b8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd600110 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd6000d8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd600298 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd600180 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd6001f0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3812] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd600228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3988] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd9202d0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd920148 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd920260 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd9201b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd920110 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd9200d8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd920298 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd920180 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd9201f0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd920228 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4068] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2844] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2304] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\SearchIndexer.exe[3216] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Windows\System32\hkcmd.exe[3844] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd9202d0 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd920148 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd920260 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd9201b8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd920110 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd9200d8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd920298 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd920180 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd9201f0 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd920228 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Windows\System32\igfxpers.exe[2500] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefd8d02d0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefd8d0148 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefd8d0260 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefd8d01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefd8d0110 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefd8d00d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefd8d0298 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefd8d0180 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefd8d01f0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefd8d0228 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3896] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\kernel32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 70230000 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e91401 2 bytes JMP 000000000779a47c .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e91419 2 bytes JMP 000000000779a494 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e91431 2 bytes JMP 000000000779a4ac .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e9144a 2 bytes JMP 0000000076f5fcc5 .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e914dd 2 bytes JMP 000000000779a558 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e914f5 2 bytes JMP 000000000779a570 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e9150d 2 bytes JMP 000000000779a588 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e91525 2 bytes JMP 000000000779a5a0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e9153d 2 bytes JMP 000000000779a5b8 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e91555 2 bytes JMP 000000000779a5d0 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e9156d 2 bytes JMP 000000000779a5e8 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e91585 2 bytes JMP 000000000779a600 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e9159d 2 bytes JMP 000000000779a618 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e915b5 2 bytes JMP 000000000779a630 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e915cd 2 bytes JMP 000000005d37ce48 .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e916b2 2 bytes JMP 000000000779a72d .text C:\windows\SysWOW64\RunDll32.exe[2740] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e916bd 2 bytes JMP 000000000779a738 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\kernel32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 70a00000 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e91401 2 bytes JMP 000000000779a47c .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e91419 2 bytes JMP 000000000779a494 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e91431 2 bytes JMP 000000000779a4ac .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e9144a 2 bytes JMP 0000000076f5fcc5 .text ... * 9 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e914dd 2 bytes JMP 000000000779a558 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e914f5 2 bytes JMP 000000000779a570 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e9150d 2 bytes JMP 000000000779a588 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e91525 2 bytes JMP 000000000779a5a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e9153d 2 bytes JMP 000000000779a5b8 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e91555 2 bytes JMP 000000000779a5d0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e9156d 2 bytes JMP 000000000779a5e8 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e91585 2 bytes JMP 000000000779a600 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e9159d 2 bytes JMP 000000000779a618 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e915b5 2 bytes JMP 000000000779a630 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e915cd 2 bytes JMP 000000005d37ce48 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e916b2 2 bytes JMP 000000000779a72d .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e916bd 2 bytes JMP 000000000779a738 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[148] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\kernel32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 6d640000 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e91401 2 bytes JMP 000000000779a47c .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e91419 2 bytes JMP 000000000779a494 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e91431 2 bytes JMP 000000000779a4ac .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e9144a 2 bytes JMP 0000000076f5fcc5 .text ... * 9 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e914dd 2 bytes JMP 000000000779a558 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e914f5 2 bytes JMP 000000000779a570 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e9150d 2 bytes JMP 000000000779a588 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e91525 2 bytes JMP 000000000779a5a0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e9153d 2 bytes JMP 000000000779a5b8 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e91555 2 bytes JMP 000000000779a5d0 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e9156d 2 bytes JMP 000000000779a5e8 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e91585 2 bytes JMP 000000000779a600 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e9159d 2 bytes JMP 000000000779a618 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e915b5 2 bytes JMP 000000000779a630 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e915cd 2 bytes JMP 000000005d37ce48 .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e916b2 2 bytes JMP 000000000779a72d .text C:\Program Files (x86)\Comodo\Internet Security Essentials\vkise.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e916bd 2 bytes JMP 000000000779a738 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[4320] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\kernel32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 6d110000 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\OLE32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e91401 2 bytes JMP 000000000779a47c .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e91419 2 bytes JMP 000000000779a494 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e91431 2 bytes JMP 000000000779a4ac .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e9144a 2 bytes JMP 0000000076f5fcc5 .text ... * 9 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e914dd 2 bytes JMP 000000000779a558 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e914f5 2 bytes JMP 000000000779a570 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e9150d 2 bytes JMP 000000000779a588 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e91525 2 bytes JMP 000000000779a5a0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e9153d 2 bytes JMP 000000000779a5b8 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e91555 2 bytes JMP 000000000779a5d0 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e9156d 2 bytes JMP 000000000779a5e8 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e91585 2 bytes JMP 000000000779a600 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e9159d 2 bytes JMP 000000000779a618 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e915b5 2 bytes JMP 000000000779a630 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e915cd 2 bytes JMP 000000005d37ce48 .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e916b2 2 bytes JMP 000000000779a72d .text C:\Program Files (x86)\PLAY INTERNET\PLAY INTERNET.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e916bd 2 bytes JMP 000000000779a738 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 70630000 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5072] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076c99c3b 5 bytes JMP 00000000739cc2e0 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[4356] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 71390000 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e91401 2 bytes JMP 000000000779a47c .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e91419 2 bytes JMP 000000000779a494 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e91431 2 bytes JMP 000000000779a4ac .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e9144a 2 bytes JMP 0000000076f5fcc5 .text ... * 9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e914dd 2 bytes JMP 000000000779a558 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e914f5 2 bytes JMP 000000000779a570 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e9150d 2 bytes JMP 000000000779a588 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e91525 2 bytes JMP 000000000779a5a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e9153d 2 bytes JMP 000000000779a5b8 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e91555 2 bytes JMP 000000000779a5d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e9156d 2 bytes JMP 000000000779a5e8 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e91585 2 bytes JMP 000000000779a600 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e9159d 2 bytes JMP 000000000779a618 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e915b5 2 bytes JMP 000000000779a630 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e915cd 2 bytes JMP 000000005d37ce48 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e916b2 2 bytes JMP 000000000779a72d .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3640] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e916bd 2 bytes JMP 000000000779a738 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!MoveFileExW 00000000772c2b60 13 bytes JMP 0000000037520418 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!CopyFileExW 00000000772d1870 3 bytes JMP 0000000037520298 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!CopyFileExW + 4 00000000772d1874 1 byte [C0] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007734f6e0 8 bytes JMP 0000000037520598 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007734f710 5 bytes JMP 00000000375204d8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!MoveFileW 000000007734f7e0 10 bytes JMP 0000000037520358 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007734f8e0 8 bytes JMP 0000000037520538 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!MoveFileExA 000000007734f910 10 bytes JMP 00000000375203b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!MoveFileA 000000007734f940 10 bytes JMP 00000000375202f8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\kernel32.dll!MoveFileTransactedA 0000000077355730 5 bytes JMP 0000000037520478 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5252] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4328] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4868] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000772ddd20 5 bytes JMP 000000006fff0228 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[5576] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 6 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtReplyPort 000000007752bdf0 6 bytes {JMP QWORD [RIP+0x8bf4240]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 6 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 000000007752bf50 6 bytes {JMP QWORD [RIP+0x8bd40e0]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007752bf60 6 bytes {JMP QWORD [RIP+0x8e340d0]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 6 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 6 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtFsControlFile 000000007752c0c0 6 bytes {JMP QWORD [RIP+0x8e53f70]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007752c130 6 bytes {JMP QWORD [RIP+0x8c73f00]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 6 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 6 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 6 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 6 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 6 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 6 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 6 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 6 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 6 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 000000007752c710 6 bytes {JMP QWORD [RIP+0x8dd3920]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 6 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 6 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 000000007752c810 6 bytes {JMP QWORD [RIP+0x8d73820]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007752cc10 6 bytes {JMP QWORD [RIP+0x8e93420]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007752cc20 6 bytes {JMP QWORD [RIP+0x8e73410]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007752cc50 6 bytes {JMP QWORD [RIP+0x8cb33e0]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007752ccc0 6 bytes {JMP QWORD [RIP+0x8c33370]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007752cd10 6 bytes {JMP QWORD [RIP+0x8cf3320]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007752d220 6 bytes {JMP QWORD [RIP+0x8d32e10]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007752d440 6 bytes {JMP QWORD [RIP+0x8eb2bf0]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd2e9ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!SetServiceStatus 000007feff6a687c 6 bytes JMP 61437869 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007feff6a8e30 6 bytes JMP a93b6 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007feff6a995c 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007feff6a99e4 6 bytes {JMP QWORD [RIP+0x21664c]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007feff6a9ac8 6 bytes {JMP QWORD [RIP+0x1f6568]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007feff6aa51c 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007feff6aa530 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007feff6aa5b0 5 bytes [FF, 25, 80, 5A, 23] .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007feff6aa5c4 6 bytes {JMP QWORD [RIP+0x255a6c]} .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007feff6abb28 6 bytes JMP 420064 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007feff6abb3c 3 bytes JMP 0 .text C:\windows\system32\svchost.exe[5788] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007feff6abb40 2 bytes JMP 0 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4a2930 5 bytes JMP 000007febce10358 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[5788] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 6 bytes JMP 00000000375201d8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtReplyPort 000000007752bdf0 6 bytes {JMP QWORD [RIP+0x8bf4240]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 6 bytes JMP 0000000037520178 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 000000007752bf50 6 bytes {JMP QWORD [RIP+0x8bd40e0]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007752bf60 6 bytes {JMP QWORD [RIP+0x8e340d0]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 6 bytes JMP 0000000037521c18 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 6 bytes JMP 0000000037521b58 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtFsControlFile 000000007752c0c0 6 bytes {JMP QWORD [RIP+0x8e53f70]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007752c130 6 bytes {JMP QWORD [RIP+0x8c73f00]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 6 bytes JMP 0000000037521678 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 6 bytes JMP 0000000037521af8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 6 bytes JMP 0000000037521bb8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 6 bytes JMP 0000000037521e58 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 6 bytes JMP 00000000375215b8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 6 bytes JMP 0000000037521558 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 6 bytes JMP 00000000375219d8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 6 bytes JMP 00000000375216d8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 6 bytes JMP 0000000037521618 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 000000007752c710 6 bytes {JMP QWORD [RIP+0x8dd3920]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 6 bytes JMP 0000000037521798 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 6 bytes JMP 0000000037521738 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 000000007752c810 6 bytes {JMP QWORD [RIP+0x8d73820]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007752cc10 6 bytes {JMP QWORD [RIP+0x8e93420]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007752cc20 6 bytes {JMP QWORD [RIP+0x8e73410]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007752cc50 6 bytes {JMP QWORD [RIP+0x8cb33e0]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007752ccc0 6 bytes {JMP QWORD [RIP+0x8c33370]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007752cd10 6 bytes {JMP QWORD [RIP+0x8cf3320]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007752d220 6 bytes {JMP QWORD [RIP+0x8d32e10]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007752d440 6 bytes {JMP QWORD [RIP+0x8eb2bf0]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd2e9ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!SetServiceStatus 000007feff6a687c 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007feff6a8e30 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007feff6a995c 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007feff6a99e4 6 bytes {JMP QWORD [RIP+0x21664c]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007feff6a9ac8 6 bytes {JMP QWORD [RIP+0x1f6568]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007feff6aa51c 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007feff6aa530 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007feff6aa5b0 5 bytes [FF, 25, 80, 5A, 23] .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007feff6aa5c4 6 bytes {JMP QWORD [RIP+0x255a6c]} .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007feff6abb28 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007feff6abb3c 3 bytes JMP 0 .text C:\windows\system32\svchost.exe[5740] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007feff6abb40 2 bytes JMP 0 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4a2930 5 bytes JMP 000007febce10358 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007fefdbd02d0 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007fefdbd0148 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007fefdbd0260 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007fefdbd01b8 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007fefdbd0110 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007fefdbd00d8 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007fefdbd0298 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007fefdbd0180 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007fefdbd01f0 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007fefdbd0228 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\ole32.dll!CoCreateInstanceEx 000007fefe1bc070 6 bytes {JMP QWORD [RIP+0x213fc0]} .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\svchost.exe[5740] C:\windows\system32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077502280 5 bytes JMP 00000000375201d8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007752be20 8 bytes JMP 0000000037520178 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007752bef0 8 bytes JMP 0000000037521d98 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007752bff0 8 bytes JMP 0000000037521978 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007752c060 8 bytes JMP 0000000037521c18 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007752c0a0 8 bytes JMP 0000000037521b58 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007752c140 8 bytes JMP 0000000037521c78 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007752c1b0 8 bytes JMP 0000000037521678 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007752c1d0 8 bytes JMP 0000000037521af8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007752c210 8 bytes JMP 00000000375217f8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007752c260 8 bytes JMP 0000000037521858 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007752c280 8 bytes JMP 0000000037521bb8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007752c470 8 bytes JMP 0000000037521e58 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007752c480 8 bytes JMP 00000000375215b8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007752c580 8 bytes JMP 0000000037521558 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007752c650 8 bytes JMP 00000000375219d8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007752c690 8 bytes JMP 00000000375216d8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007752c700 8 bytes JMP 0000000037521618 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007752c730 8 bytes JMP 0000000037521798 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007752c790 8 bytes JMP 0000000037521738 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007752c7a0 8 bytes JMP 0000000037521cd8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007752c7b0 8 bytes JMP 0000000037521df8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007752cb20 8 bytes JMP 0000000037521a38 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007752cbb0 8 bytes JMP 0000000037521d38 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007752d420 8 bytes JMP 0000000037521a98 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007752d4a0 8 bytes JMP 00000000375218b8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007752d520 8 bytes JMP 0000000037521918 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2e3a50 7 bytes JMP 000007febce10238 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\KERNELBASE.dll!DefineDosDeviceW 000007fefd30ff00 5 bytes JMP 000007febce10298 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!DeleteDC 000007fefdbe22f0 5 bytes JMP 000007febce10538 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!BitBlt 000007fefdbe23a0 5 bytes JMP 000007febce10598 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!GdiAlphaBlend 000007fefdbe3e40 5 bytes JMP 000007febce104d8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!MaskBlt 000007fefdbe7534 5 bytes JMP 000007febce105f8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!CreateDCW 000007fefdbe81b4 9 bytes JMP 000007febce103b8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!CreateDCA 000007fefdbe87f4 9 bytes JMP 000007febce10358 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!GetPixel 000007fefdbe8d4c 5 bytes JMP 000007febce10418 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!StretchBlt 000007fefdbebaa4 5 bytes JMP 000007febce106b8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!PlgBlt 000007fefdbec7a0 5 bytes JMP 000007febce10658 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\GDI32.dll!GdiTransparentBlt 000007fefdbf52e0 5 bytes JMP 000007febce10478 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\ole32.dll!CoCreateInstance 000007fefe1d3600 1 byte JMP 000007febce102f8 .text C:\windows\system32\AUDIODG.EXE[5456] C:\windows\System32\ole32.dll!CoCreateInstance + 2 000007fefe1d3602 4 bytes {JMP 0xffffffffbec3ccf8} .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000776df9f0 5 bytes JMP 00000000739d2e50 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776dfb38 5 bytes JMP 00000000739c83f0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfcc0 5 bytes JMP 00000000739c7990 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd74 5 bytes JMP 00000000739c90a0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfdd8 5 bytes JMP 00000000739c8790 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfed0 5 bytes JMP 00000000739cabb0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776dff84 5 bytes JMP 00000000739c6c00 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dffb4 5 bytes JMP 00000000739c89a0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776e0014 5 bytes JMP 00000000739c7550 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0094 5 bytes JMP 00000000739c77a0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e00c4 5 bytes JMP 00000000739c8d50 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e03c8 5 bytes JMP 00000000739ca0a0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776e03e0 5 bytes JMP 00000000739cb970 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0560 5 bytes JMP 00000000739cb690 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e06a4 5 bytes JMP 00000000739c7b80 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776e0704 5 bytes JMP 00000000739cba80 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776e07ac 5 bytes JMP 00000000739c6af0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776e07f4 5 bytes JMP 00000000739cbb90 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776e0884 5 bytes JMP 00000000739c6d10 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e089c 5 bytes JMP 00000000739cae80 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e08b4 5 bytes JMP 00000000739ca5d0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0e04 5 bytes JMP 00000000739c7df0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0ee8 5 bytes JMP 00000000739c8200 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bf4 5 bytes JMP 00000000739c7ff0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1cc4 5 bytes JMP 00000000739caa60 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d9c 5 bytes JMP 00000000739c85e0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776fd2f6 7 bytes JMP 00000000739d2cd0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076393bbb 5 bytes JMP 000000007392edf0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076399abc 2 bytes JMP 00000000739befe0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076399abf 2 bytes [62, FD] .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\kernel32.dll!CopyFileExW 00000000763a3b7a 7 bytes JMP 00000000739bfba0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000763acd11 5 bytes JMP 00000000739becd0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000763fddde 7 bytes JMP 00000000739bf210 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000763fde81 7 bytes JMP 00000000739bf520 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f9f8a7 5 bytes JMP 00000000739d2cb0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000075f9fcda 5 bytes JMP 00000000739c6400 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075fa2e0b 4 bytes CALL 710b0000 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000761d8332 5 bytes JMP 00000000739d3de0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 5 bytes JMP 00000000739d4750 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 7 bytes JMP 00000000739d3800 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 5 bytes JMP 00000000739d4c40 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 5 bytes JMP 00000000739d51a0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee21 5 bytes JMP 00000000739d39d0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000761defe1 5 bytes JMP 00000000739d78d0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetThreadDesktop 00000000761e02ae 5 bytes JMP 0000000073931480 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761e12bd 5 bytes JMP 00000000739d4260 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761e2797 5 bytes JMP 00000000739d6860 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761e3ef0 5 bytes JMP 00000000739d6f10 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetParent 00000000761e45cc 5 bytes JMP 00000000739d7130 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761e460c 5 bytes JMP 00000000739d7af0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761e4713 5 bytes JMP 00000000739d6ad0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761e47e5 5 bytes JMP 00000000739d65c0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761e4bbc 1 byte JMP 00000000739d3fc0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!PostMessageA + 2 00000000761e4bbe 3 bytes {JMP 0xfffffffffd7ef404} .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e4d1d 5 bytes JMP 00000000739d4500 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761e71e0 5 bytes JMP 00000000739d3c00 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761e71fe 5 bytes JMP 00000000739d49a0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e7d59 7 bytes JMP 00000000739d3620 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e81f5 5 bytes JMP 00000000739d3300 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e825a 5 bytes JMP 00000000739d5c30 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e82d2 5 bytes JMP 00000000739d5700 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e8411 5 bytes JMP 00000000739d4ee0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e8f4c 5 bytes JMP 00000000739d3040 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ecc1e 5 bytes JMP 00000000739d7320 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!ClipCursor 00000000761ef2b3 5 bytes JMP 00000000739d7f00 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fa072 5 bytes JMP 00000000739d5ec0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fdbf5 5 bytes JMP 00000000739d6110 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendInput 00000000761fff2a 5 bytes JMP 0000000073931810 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076218e6f 5 bytes JMP 0000000073931b80 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SwitchDesktop 00000000762198b5 5 bytes JMP 00000000739d8160 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076219fa4 5 bytes JMP 0000000073931c10 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221533 5 bytes JMP 00000000739d7d20 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SetSystemCursor 0000000076230299 5 bytes JMP 00000000739d8300 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!mouse_event 000000007623030f 5 bytes JMP 0000000073931a80 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!keybd_event 0000000076230353 5 bytes JMP 00000000739319a0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236d94 5 bytes JMP 00000000739d5460 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236df5 5 bytes JMP 00000000739d59a0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!BlockInput 0000000076237e6f 5 bytes JMP 00000000739d74f0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!PrintWindow 00000000762388c3 5 bytes JMP 000000007392bcc0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076238983 5 bytes JMP 00000000739d6d30 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000076a558b3 5 bytes JMP 000000007392bdc0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076a55ea5 5 bytes JMP 000000007392a4d0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076a57bb4 5 bytes JMP 000000007392a200 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!GetPixel 0000000076a5a854 5 bytes JMP 000000007392baf0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000076a5ac45 5 bytes JMP 000000007392a870 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000076a5af54 5 bytes JMP 000000007392b390 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000076a5bdd9 5 bytes JMP 000000007392ac20 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000076a5d7fd 5 bytes JMP 000000007392a3b0 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000076a6e524 5 bytes JMP 000000007392b740 .text C:\Users\IZA\Desktop\GMER\j9n9hutv.exe[5684] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076a84b42 5 bytes JMP 000000007392afe0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e599a42e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e599a42e@d45d42a24eb0 0x05 0xEB 0x19 0xFA ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e599a42e@b0c4e7b3e052 0x53 0xF7 0x61 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e599a42e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e599a42e@d45d42a24eb0 0x05 0xEB 0x19 0xFA ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e599a42e@b0c4e7b3e052 0x53 0xF7 0x61 0x66 ... ---- EOF - GMER 2.2 ----