GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-27 20:57:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1 PLEXTOR_ rev.1.03 238,47GB Running: y79v5okg.exe; Driver: C:\Users\Sasha\AppData\Local\Temp\ufldrfod.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 674 fffff800031a6092 45 bytes [00, 00, 40, 40, 7C, 7C, 6D, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 720 fffff800031a60c0 5 bytes [04, 00, 00, 00, 20] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077501360 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077501560 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077501360 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077501560 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\services.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\services.exe[752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe336bd0 5 bytes JMP 000007febced0358 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000077295350 7 bytes JMP 0000000037501498 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077296ef0 8 bytes JMP 0000000037501018 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077298184 7 bytes JMP 00000000375012b8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetParent 0000000077298530 8 bytes JMP 0000000037501078 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077299bcc 6 bytes JMP 00000000375007d8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!PostMessageA 000000007729a404 5 bytes JMP 0000000037500958 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!EnableWindow 000000007729aaa0 9 bytes JMP 0000000037501378 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!MoveWindow 000000007729aad0 8 bytes JMP 00000000375010d8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 000000007729b500 6 bytes JMP 0000000037500898 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007729c720 5 bytes JMP 0000000037500fb8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007729cd50 8 bytes JMP 0000000037501258 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007729d2b0 5 bytes JMP 0000000037500a18 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendMessageA 000000007729d338 5 bytes JMP 0000000037500ad8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007729dc40 9 bytes JMP 0000000037500d78 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007729f510 7 bytes JMP 0000000037501318 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007729f874 9 bytes JMP 0000000037500718 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007729fac0 9 bytes JMP 0000000037500bf8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000772a0b74 10 bytes JMP 0000000037500a78 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000772a33b0 8 bytes JMP 0000000037500838 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000772a4d4c 5 bytes JMP 0000000037500778 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!GetKeyState 00000000772a5010 5 bytes JMP 0000000037500f58 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000772a5438 7 bytes JMP 0000000037500cb8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendMessageW 00000000772a6b50 5 bytes JMP 0000000037500b38 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 00000000772a76c0 1 byte JMP 00000000375008f8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 2 00000000772a76c2 6 bytes {JMP 0xffffffffc0259238} .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!PostMessageW 00000000772a76e4 7 bytes JMP 00000000375009b8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000772add90 5 bytes JMP 0000000037500e38 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!GetClipboardData 00000000772ae874 5 bytes JMP 00000000375011f8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000772af780 8 bytes JMP 0000000037501138 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772b28e4 12 bytes JMP 0000000037500d18 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!mouse_event 00000000772b3894 7 bytes JMP 0000000037500658 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000772b8a10 8 bytes JMP 0000000037500ef8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000772b8be0 12 bytes JMP 0000000037500b98 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000772b8c20 12 bytes JMP 00000000375006b8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendInput 00000000772b8cd0 8 bytes JMP 0000000037500e98 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!BlockInput 00000000772bad60 8 bytes JMP 0000000037501198 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!ClipCursor 00000000772badb0 8 bytes JMP 0000000037501438 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772e14e0 5 bytes JMP 00000000375013d8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SetSystemCursor 000000007730454c 5 bytes JMP 00000000375014f8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!keybd_event 00000000773045a4 7 bytes JMP 00000000375005f8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007730cc08 5 bytes JMP 0000000037500dd8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007730df18 7 bytes JMP 0000000037500c58 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0598 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced0538 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced0658 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced0418 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0478 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced0718 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\services.exe[752] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe336bd0 5 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced0718 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe336bd0 5 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced0718 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077501430 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 000000006fff0110 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe336bd0 5 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced0718 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1428] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\WLANExt.exe[1436] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\conhost.exe[1444] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\nvvsvc.exe[1472] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\Dwm.exe[1732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000077295350 7 bytes JMP 0000000037501498 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077296ef0 8 bytes JMP 0000000037501018 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077298184 7 bytes JMP 00000000375012b8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetParent 0000000077298530 8 bytes JMP 0000000037501078 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077299bcc 6 bytes JMP 00000000375007d8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!PostMessageA 000000007729a404 5 bytes JMP 0000000037500958 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!EnableWindow 000000007729aaa0 9 bytes JMP 0000000037501378 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!MoveWindow 000000007729aad0 8 bytes JMP 00000000375010d8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 000000007729b500 6 bytes JMP 0000000037500898 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007729c720 5 bytes JMP 0000000037500fb8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007729cd50 8 bytes JMP 0000000037501258 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007729d2b0 5 bytes JMP 0000000037500a18 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendMessageA 000000007729d338 5 bytes JMP 0000000037500ad8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007729dc40 9 bytes JMP 0000000037500d78 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007729f510 7 bytes JMP 0000000037501318 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007729f874 9 bytes JMP 0000000037500718 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007729fac0 9 bytes JMP 0000000037500bf8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000772a0b74 10 bytes JMP 0000000037500a78 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000772a33b0 8 bytes JMP 0000000037500838 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000772a4d4c 5 bytes JMP 0000000037500778 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!GetKeyState 00000000772a5010 5 bytes JMP 0000000037500f58 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000772a5438 7 bytes JMP 0000000037500cb8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendMessageW 00000000772a6b50 5 bytes JMP 0000000037500b38 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 00000000772a76c0 1 byte JMP 00000000375008f8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 2 00000000772a76c2 6 bytes {JMP 0xffffffffc0259238} .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!PostMessageW 00000000772a76e4 7 bytes JMP 00000000375009b8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000772add90 5 bytes JMP 0000000037500e38 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!GetClipboardData 00000000772ae874 5 bytes JMP 00000000375011f8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000772af780 8 bytes JMP 0000000037501138 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772b28e4 12 bytes JMP 0000000037500d18 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!mouse_event 00000000772b3894 7 bytes JMP 0000000037500658 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000772b8a10 8 bytes JMP 0000000037500ef8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000772b8be0 12 bytes JMP 0000000037500b98 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000772b8c20 12 bytes JMP 00000000375006b8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendInput 00000000772b8cd0 8 bytes JMP 0000000037500e98 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!BlockInput 00000000772bad60 8 bytes JMP 0000000037501198 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!ClipCursor 00000000772badb0 8 bytes JMP 0000000037501438 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772e14e0 5 bytes JMP 00000000375013d8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SetSystemCursor 000000007730454c 5 bytes JMP 00000000375014f8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!keybd_event 00000000773045a4 7 bytes JMP 00000000375005f8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007730cc08 5 bytes JMP 0000000037500dd8 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007730df18 7 bytes JMP 0000000037500c58 .text C:\Windows\Explorer.EXE[1784] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe336bd0 5 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced0718 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 0 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\System32\igfxtray.exe[1568] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\System32\hkcmd.exe[1804] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\System32\igfxpers.exe[2112] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\taskeng.exe[2120] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2152] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000077295350 7 bytes JMP 0000000037501498 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077296ef0 8 bytes JMP 0000000037501018 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077298184 7 bytes JMP 00000000375012b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetParent 0000000077298530 8 bytes JMP 0000000037501078 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077299bcc 6 bytes JMP 00000000375007d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!PostMessageA 000000007729a404 5 bytes JMP 0000000037500958 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!EnableWindow 000000007729aaa0 9 bytes JMP 0000000037501378 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!MoveWindow 000000007729aad0 8 bytes JMP 00000000375010d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 000000007729b500 6 bytes JMP 0000000037500898 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007729c720 5 bytes JMP 0000000037500fb8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007729cd50 8 bytes JMP 0000000037501258 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007729d2b0 5 bytes JMP 0000000037500a18 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendMessageA 000000007729d338 5 bytes JMP 0000000037500ad8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007729dc40 9 bytes JMP 0000000037500d78 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007729f510 7 bytes JMP 0000000037501318 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007729f874 9 bytes JMP 0000000037500718 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007729fac0 9 bytes JMP 0000000037500bf8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000772a0b74 10 bytes JMP 0000000037500a78 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000772a33b0 8 bytes JMP 0000000037500838 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000772a4d4c 5 bytes JMP 0000000037500778 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!GetKeyState 00000000772a5010 5 bytes JMP 0000000037500f58 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000772a5438 7 bytes JMP 0000000037500cb8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendMessageW 00000000772a6b50 5 bytes JMP 0000000037500b38 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 00000000772a76c0 1 byte JMP 00000000375008f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 2 00000000772a76c2 6 bytes {JMP 0xffffffffc0259238} .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!PostMessageW 00000000772a76e4 7 bytes JMP 00000000375009b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000772add90 5 bytes JMP 0000000037500e38 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!GetClipboardData 00000000772ae874 5 bytes JMP 00000000375011f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000772af780 8 bytes JMP 0000000037501138 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772b28e4 12 bytes JMP 0000000037500d18 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!mouse_event 00000000772b3894 7 bytes JMP 0000000037500658 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000772b8a10 8 bytes JMP 0000000037500ef8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000772b8be0 12 bytes JMP 0000000037500b98 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000772b8c20 12 bytes JMP 00000000375006b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendInput 00000000772b8cd0 8 bytes JMP 0000000037500e98 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!BlockInput 00000000772bad60 8 bytes JMP 0000000037501198 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!ClipCursor 00000000772badb0 8 bytes JMP 0000000037501438 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772e14e0 5 bytes JMP 00000000375013d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SetSystemCursor 000000007730454c 5 bytes JMP 00000000375014f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!keybd_event 00000000773045a4 7 bytes JMP 00000000375005f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007730cc08 5 bytes JMP 0000000037500dd8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2232] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007730df18 7 bytes JMP 0000000037500c58 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\taskeng.exe[2252] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2376] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 6f007400 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\Elantech\ETDCtrl.exe[2644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\DbxSvc.exe[2832] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000751787b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6d7e0000 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bf1465 2 bytes [BF, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bf14bb 2 bytes [BF, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2496] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6f750000 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2356] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6f6f0000 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3232] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3308] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[3380] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 714f0000 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bf1465 2 bytes [BF, 76] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bf14bb 2 bytes [BF, 76] .text ... * 2 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL b0000000 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd5cad02 3 bytes CALL aa6765 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[3644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4024] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 6e006900 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\wbem\wmiprvse.exe[4068] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 713b0000 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\Unified Remote 3\RemoteServerWin.exe[3164] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[4384] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[4732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\CCleaner\CCleaner64.exe[2404] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 718d0000 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bf1465 2 bytes [BF, 76] .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bf14bb 2 bytes [BF, 76] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\SearchIndexer.exe[4528] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5284] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 24206e8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6076] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 708b0000 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5216] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\wbem\unsecapp.exe[5256] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6e2e0000 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5480] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6e3f0000 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5936] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\svchost.exe[5956] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6d800000 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bf1465 2 bytes [BF, 76] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[6212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bf14bb 2 bytes [BF, 76] .text ... * 2 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774d5b60 5 bytes JMP 00000000000205f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077501440 5 bytes JMP 0000000000020678 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 00000000000200a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000000020018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775016b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 5 bytes JMP 0000000037501678 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775017d0 5 bytes JMP 0000000000020128 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 5 bytes JMP 0000000037501618 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 5 bytes JMP 0000000037501738 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077501d80 5 bytes JMP 0000000000020348 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077502240 5 bytes JMP 0000000000020458 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077502290 5 bytes JMP 00000000000204e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077557700 5 bytes JMP 0000000000020568 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 244c8948 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[7096] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6e4f0000 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7432] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774d5b60 5 bytes JMP 00000000000205f0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077501430 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077501440 5 bytes JMP 0000000000020678 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 00000000000200a0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000000020018 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775016b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 5 bytes JMP 00000000000201b0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775017d0 5 bytes JMP 0000000000020128 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 5 bytes JMP 0000000000020238 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 5 bytes JMP 00000000000202c0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077501d80 5 bytes JMP 0000000000020348 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077502240 5 bytes JMP 0000000000020458 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077502290 5 bytes JMP 00000000000204e0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077557700 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6f200000 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[7516] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 70460000 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[7952] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[8464] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6e9c0000 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[8660] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 70080000 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[8684] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774d5b60 5 bytes JMP 00000000000205f0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077501440 5 bytes JMP 0000000000020678 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 00000000000200a0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000000020018 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775016b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 5 bytes JMP 0000000037501678 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775017d0 5 bytes JMP 0000000000020128 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 5 bytes JMP 0000000037501618 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 5 bytes JMP 0000000037501738 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077501d80 5 bytes JMP 0000000000020348 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077502240 5 bytes JMP 0000000000020458 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077502290 5 bytes JMP 00000000000204e0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077557700 5 bytes JMP 0000000000020568 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[8704] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[8728] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 70500000 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[9480] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6f920000 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bf1465 2 bytes [BF, 76] .text C:\Windows\SysWOW64\RunDll32.exe[9560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bf14bb 2 bytes [BF, 76] .text ... * 2 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774d5b60 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077501440 5 bytes JMP 0000000000020678 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000000020018 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775016b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 5 bytes JMP 0000000037501678 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775017d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 5 bytes JMP 0000000037501618 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 5 bytes JMP 0000000037501738 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077501d80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077502240 5 bytes JMP 0000000000020458 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077502290 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077557700 5 bytes JMP 0000000000020568 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\igfxext.exe[6920] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774d5b60 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077501440 5 bytes JMP 0000000000020678 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000000020018 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775016b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 5 bytes JMP 0000000037501678 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775017d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 5 bytes JMP 0000000037501618 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 5 bytes JMP 0000000037501738 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077501d80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077502240 5 bytes JMP 0000000000020458 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077502290 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077557700 5 bytes JMP 0000000000020568 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\igfxsrvc.exe[9632] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6d1a0000 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[5036] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6d6c0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[9784] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6e210000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7700] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6d080000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7472] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[7180] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774d5b60 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077501440 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775016b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 5 bytes JMP 0000000037501678 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775017d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 5 bytes JMP 0000000037501618 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 5 bytes JMP 0000000037501738 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077501d80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077502240 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077502290 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077557700 5 bytes JMP 0000000000020568 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\wuauclt.exe[9408] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774d5b60 5 bytes JMP 00000000000205f0 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077501440 5 bytes JMP 0000000000020678 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 00000000000200a0 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000000020018 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775016b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 5 bytes JMP 0000000037501678 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775017d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 5 bytes JMP 0000000037501618 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 5 bytes JMP 0000000037501738 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077501d80 5 bytes JMP 0000000000020348 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077502240 5 bytes JMP 0000000000020458 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077502290 5 bytes JMP 00000000000204e0 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077557700 5 bytes JMP 0000000000020568 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 0 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Program Files\Vuze\Azureus.exe[3396] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[7440] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 71140000 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bf1465 2 bytes [BF, 76] .text C:\Program Files (x86)\NapiProjekt\napisy.exe[9172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bf14bb 2 bytes [BF, 76] .text ... * 2 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 71360000 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bf1465 2 bytes [BF, 76] .text C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe[9348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bf14bb 2 bytes [BF, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000751787b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6f1b0000 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bf1465 2 bytes [BF, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bf14bb 2 bytes [BF, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[12216] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes CALL 0 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Windows\system32\AUDIODG.EXE[1496] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefd7b7490 11 bytes JMP 000007febced02f8 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 6f1a0000 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 .text C:\Windows\SysWOW64\ctfmon.exe[4472] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ff9d0b 5 bytes JMP 000000007312c2e0 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3b10 5 bytes JMP 00000000375001d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775013a0 8 bytes JMP 0000000037500178 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077501470 8 bytes JMP 0000000037501d98 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077501570 8 bytes JMP 0000000037501978 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775015e0 8 bytes JMP 0000000037501c18 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077501620 8 bytes JMP 0000000037501b58 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775016c0 8 bytes JMP 0000000037501c78 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077501730 8 bytes JMP 0000000037501678 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077501750 8 bytes JMP 0000000037501af8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077501790 8 bytes JMP 00000000375017f8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775017e0 8 bytes JMP 0000000037501858 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077501800 8 bytes JMP 0000000037501bb8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775019f0 8 bytes JMP 0000000037501e58 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077501a00 8 bytes JMP 00000000375015b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077501b00 8 bytes JMP 0000000037501558 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077501bd0 8 bytes JMP 00000000375019d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077501c10 8 bytes JMP 00000000375016d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077501c80 8 bytes JMP 0000000037501618 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077501cb0 8 bytes JMP 0000000037501798 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077501d10 8 bytes JMP 0000000037501738 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077501d20 8 bytes JMP 0000000037501cd8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077501d30 8 bytes JMP 0000000037501df8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775020a0 8 bytes JMP 0000000037501a38 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077502130 8 bytes JMP 0000000037501d38 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775029a0 8 bytes JMP 0000000037501a98 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077502a20 8 bytes JMP 00000000375018b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077502aa0 8 bytes JMP 0000000037501918 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077393060 13 bytes JMP 0000000037500418 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000773a23d0 5 bytes JMP 0000000037500298 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 1 00000000773a9b81 7 bytes [31, C0, C3, 90, 90, 90, 90] .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773ae750 5 bytes JMP 0000000037500238 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007741f6c0 8 bytes JMP 0000000037500598 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007741f6f0 5 bytes JMP 00000000375004d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!MoveFileW 000000007741f7c0 10 bytes JMP 0000000037500358 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007741f8c0 8 bytes JMP 0000000037500538 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!MoveFileExA 000000007741f8f0 10 bytes JMP 00000000375003b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!MoveFileA 000000007741f920 10 bytes JMP 00000000375002f8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077425690 5 bytes JMP 0000000037500478 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5b9aa5 3 bytes [65, 65, 48] .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5c5290 7 bytes JMP 000007febced0238 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd5f0be0 5 bytes JMP 000007febced0298 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefde222cc 5 bytes JMP 000007febced0538 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!BitBlt 000007fefde224c0 5 bytes JMP 000007febced0598 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefde23df4 5 bytes JMP 000007febced04d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefde25be0 5 bytes JMP 000007febced05f8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefde28398 9 bytes JMP 000007febced03b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefde289c8 9 bytes JMP 000007febced0358 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!GetPixel 000007fefde29344 5 bytes JMP 000007febced0418 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefde2b9e8 5 bytes JMP 000007febced06b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefde34f1c 5 bytes JMP 000007febced0478 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2384] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefde35410 5 bytes JMP 000007febced0658 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776af9e0 5 bytes JMP 0000000073132e50 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000776afad8 5 bytes JMP 00000000612834b0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb28 5 bytes JMP 00000000731283f0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 0000000061282830 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcb0 5 bytes JMP 0000000073127990 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afd64 5 bytes JMP 00000000731290a0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afdc8 5 bytes JMP 0000000073128790 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000000612826c0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000776afea8 5 bytes JMP 0000000061282c30 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776afec0 5 bytes JMP 000000007312abb0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776aff74 5 bytes JMP 0000000073126c00 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776affa4 5 bytes JMP 00000000731289a0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0004 5 bytes JMP 0000000073127550 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000776b0068 5 bytes JMP 00000000612829d0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b0084 5 bytes JMP 00000000731277a0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b00b4 5 bytes JMP 0000000073128d50 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b03b8 5 bytes JMP 000000007312a0a0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b03d0 5 bytes JMP 000000007312b970 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b0550 5 bytes JMP 000000007312b690 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b0694 5 bytes JMP 0000000073127b80 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b06f4 5 bytes JMP 000000007312ba80 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b079c 5 bytes JMP 0000000073126af0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b07e4 5 bytes JMP 000000007312bb90 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b0874 5 bytes JMP 0000000073126d10 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b088c 5 bytes JMP 000000007312ae80 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08a4 5 bytes JMP 000000007312a5d0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776b091c 5 bytes JMP 0000000061283290 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0df4 5 bytes JMP 0000000073127df0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0ed8 5 bytes JMP 0000000073128200 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000776b1078 5 bytes JMP 0000000061282ec0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776b10f0 5 bytes JMP 0000000061283150 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1be4 5 bytes JMP 0000000073127ff0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1cb4 5 bytes JMP 000000007312aa60 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1d8c 5 bytes JMP 00000000731285e0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c975f 5 bytes JMP 0000000061283420 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d1287 7 bytes JMP 0000000073132cd0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007774feed 5 bytes JMP 0000000061283340 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075183bdb 5 bytes JMP 0000000073125520 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075189ab4 2 bytes JMP 000000007311efe0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000075189ab7 2 bytes [F9, FD] .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075193b7a 7 bytes JMP 000000007311fba0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007519ccd1 5 bytes JMP 000000007311ecd0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000751ed7e6 7 bytes JMP 000000007311f210 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000751ed889 7 bytes JMP 000000007311f520 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007699f776 5 bytes JMP 0000000073132cb0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007699fba9 5 bytes JMP 0000000073126400 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769a2c91 4 bytes CALL 707b0000 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075288332 5 bytes JMP 0000000073133de0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075288bff 5 bytes JMP 0000000073134750 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000752890d3 7 bytes JMP 0000000073133800 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075289679 5 bytes JMP 0000000073134c40 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000752897d2 5 bytes JMP 00000000731351a0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007528ee09 5 bytes JMP 00000000731339d0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007528efc9 5 bytes JMP 00000000731378d0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000752912a5 5 bytes JMP 0000000073134260 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007529291f 5 bytes JMP 0000000073136860 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SetParent 0000000075292d64 5 bytes JMP 0000000073137130 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075292da4 5 bytes JMP 0000000073137af0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075293698 5 bytes JMP 0000000073136f10 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075293baa 5 bytes JMP 0000000073133fc0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075293c61 5 bytes JMP 0000000073134500 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075296110 5 bytes JMP 0000000073133c00 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007529612e 5 bytes JMP 00000000731349a0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075296c30 7 bytes JMP 0000000073133620 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075297603 5 bytes JMP 0000000073133300 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075297668 5 bytes JMP 0000000073135c30 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000752976e0 5 bytes JMP 0000000073135700 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007529781f 5 bytes JMP 0000000073134ee0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007529835c 5 bytes JMP 0000000073133040 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007529c4b6 5 bytes JMP 0000000073137320 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!ClipCursor 00000000752a1353 5 bytes JMP 0000000073137f00 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000752ac112 5 bytes JMP 0000000073135ec0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000752ad0f5 5 bytes JMP 0000000073136110 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000752aeb96 5 bytes JMP 0000000073136ad0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000752aec68 5 bytes JMP 00000000731365c0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendInput 00000000752aff4a 5 bytes JMP 0000000073136360 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000752c9854 5 bytes JMP 0000000073138160 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000752c9f1d 5 bytes JMP 00000000731376c0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000752d1497 5 bytes JMP 0000000073137d20 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000752e0205 5 bytes JMP 0000000073138300 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!mouse_event 00000000752e027b 5 bytes JMP 0000000073120af0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!keybd_event 00000000752e02bf 5 bytes JMP 0000000073120920 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000752e6cfc 5 bytes JMP 0000000073135460 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000752e6d5d 5 bytes JMP 00000000731359a0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!BlockInput 00000000752e7dd7 5 bytes JMP 00000000731374f0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000752e88eb 5 bytes JMP 0000000073136d30 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771f58b3 5 bytes JMP 00000000731216e0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771f5ea6 5 bytes JMP 0000000073120d00 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771f7bcc 5 bytes JMP 0000000073120650 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 00000000771fb0eb 5 bytes JMP 0000000073121c70 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771fb895 5 bytes JMP 0000000073121460 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 00000000771fbba4 5 bytes JMP 00000000731219f0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771fc332 5 bytes JMP 0000000073120f70 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771fcbfb 5 bytes JMP 00000000731217b0 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771fe743 5 bytes JMP 0000000073120800 .text C:\Users\Sasha\Downloads\y79v5okg.exe[11280] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077224646 5 bytes JMP 00000000731211f0 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\CLASSPNP.SYS[ntoskrnl.exe!IofCallDriver] [fffff880042893e4] \SystemRoot\system32\drivers\aswSP.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\DUser.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\DUser.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\DUI70.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\DUI70.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\MSCTF.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\MSCTF.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\UxTheme.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\UxTheme.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\UxTheme.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\ATL.DLL[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\System32\shdocvw.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\msutb.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\msutb.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\System32\gameux.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\authui.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\CRYPTUI.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\CRYPTUI.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\urlmon.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\System32\ieframe.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\System32\ieframe.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\System32\ieframe.dll[USER32.dll!DrawTextExW] [7feeabb8f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\msi.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\dxp.dll[USER32.dll!FillRect] [7feeabb8ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\dxp.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\ntshrui.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\system32\FXSAPI.dll[USER32.dll!DrawTextW] [7feeabb8e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14943657335602294@SetupOperations ???-????? ???????,?????????????0?????????????????????_?+???,???????????????????,???????????????????,???????????,???,???????????????,??????????? ??? ???????????????????,???????????????,???????????,??????????????????????? ???????????;???????????????,???????,???????,???????,???????????????????,???;???????????????????????????????????????;???????????????????,???????????????????????????????????-???????????????????-????????????????????????????????????????????? ???-??????????????PCI\VEN_8086&DEV_2779&SUBSYS_01E61028&REV_00?PCI\VEN_8086&DEV_2779&SUBSYS_01E61028?PCI\VEN_8086&DEV_2779&CC_060400?PCI\VEN_8086&DEV_27???????-???????????????????????-???????????????????-?-?-??? ???????????????????-?-????????*?4?&????????????????????-???????-??????????????? ???????-?????-???????0????????????&???????????????????????? ???????,?????-?? ??6????"???$?z???????? ??????0???????????????? ???????-???????????-????????"??????????f?????-?????????- ???????????r?@s????N??-???v?????Di.??{00000000-0000-0000-ffff-ffffffffffff}?n %???????-???4? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f8bf1ee Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14943657335602294@SetupOperations ??????????????????????????????????????????????????N????????D??????N????????D????????????????????????KINGSTON????Logitech Pointing Device?????????????????????????o??? ???????????????????????????????????????f??? ?????????????????????0??L????????? ???????????? ?????????????????????0????????????&???????????????????????????????? ?????????????????????0????????????????????????????? ?????????????????????0????????2?????????????~?????????????????????????????5.90.38.0???????????? ?????????????????????0????????????&???????????????????????oem36.inf???? ?????????????????????0????????????????????? ?????????????????????0????????~???????????????????????????????oem36.inf:Logitech.NTamd64:NullInst:5.90.38.0:logitech_raw_pdo??????????????????????????????????????? ?????????????????????0????????????????????????????????? ?????????????????????0????????????????????????????????????????????????????????????????????? ?????????????????????0????????????????????????????????????????? ?????????????????????0??????????????????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4749f8bf1ee (not active ControlSet) ---- EOF - GMER 2.2 ----