GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-05 14:46:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-3 SAMSUNG_SP2504C rev.VT100-50 232,88GB Running: x044jm19.exe; Driver: C:\Users\KRZYSZ~1\AppData\Local\Temp\pwddqpow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\system32\ntoskrnl.exe!KePulseEvent + 468 fffff80002a1c8b0 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KePulseEvent + 560 fffff80002a1c90c 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!ExSystemTimeToLocalTime + 137 fffff80002a22169 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExSystemTimeToLocalTime + 197 fffff80002a221a5 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!FsRtlInsertPerStreamContext + 137 fffff80002a235b5 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeTryToAcquireQueuedSpinLock + 87 fffff80002a236e7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoSetFileOrigin + 395 fffff80002a25d8b 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlGetAce + 630 fffff80002a2bad6 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfReleasePushLock + 8 fffff80002a2c598 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcScheduleReadAhead + 940 fffff80002a2d46c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcGetDirtyPages + 134 fffff80002a2e776 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcGetDirtyPages + 743 fffff80002a2e9d7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!MmForceSectionClosed + 808 fffff80002a2f934 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExSetResourceOwnerPointerEx + 96 fffff80002a2fe44 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoGetDeviceAttachmentBaseRef + 116 fffff80002a30024 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PoSetPowerRequest + 171 fffff80002a301ab 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireSharedWaitForExclusive + 95 fffff80002a3078f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeQueryDpcWatchdogInformation + 170 fffff80002a32a9a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeQueryDpcWatchdogInformation + 245 fffff80002a32ae5 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoQueueWorkItemEx + 542 fffff80002a3413e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlFreeHeap + 62 fffff80002a37a3e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PsGetProcessWow64Process + 659 fffff80002a3d473 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeQueryNodeActiveAffinity + 473 fffff80002a3dc1d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeQueryHighestNodeNumber + 170 fffff80002a3dd5a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeQueryHighestNodeNumber + 392 fffff80002a3de38 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!RtlInitializeGenericTableAvl + 539 fffff80002a3ec3f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!_wcsicmp + 81 fffff80002a3ed71 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcPurgeCacheSection + 220 fffff80002a3fc2c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcPurgeCacheSection + 675 fffff80002a3fdf3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtYieldExecution + 751 fffff80002a40687 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PsGetJobUIRestrictionsClass + 325 fffff80002a43f05 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlTruncateBaseMcb + 515 fffff80002a44927 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExEnterCriticalRegionAndAcquireResourceShared + 88 fffff80002a4560c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExEnterCriticalRegionAndAcquireResourceShared + 530 fffff80002a457c6 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoBuildPartialMdl + 630 fffff80002a4e986 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInitializeDpc + 259 fffff80002a4ed2b 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInitializeDpc + 663 fffff80002a4eebf 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeSetEventBoostPriority + 739 fffff80002a511b7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoGetAttachedDeviceReference + 209 fffff80002a54d81 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetLogHandleForFile + 270 fffff80002a55e16 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!bsearch + 470 fffff80002a588f6 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!bsearch + 830 fffff80002a58a5e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInsertQueueDpc + 399 fffff80002a5aeef 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInsertQueueDpc + 627 fffff80002a5afd3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtWaitForWorkViaWorkerFactory + 481 fffff80002a5cbf1 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtWaitForWorkViaWorkerFactory + 846 fffff80002a5cd5e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtReleaseWorkerFactoryWorker + 289 fffff80002a5d33d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtReleaseWorkerFactoryWorker + 620 fffff80002a5d488 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeResetEvent + 540 fffff80002a5d758 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireRundownProtectionCacheAware + 33 fffff80002a5dbdd 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlIsNameInExpression + 724 fffff80002a5fec4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExConvertExclusiveToSharedLite + 28 fffff80002a5ff38 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExConvertExclusiveToSharedLite + 347 fffff80002a60077 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtSetInformationWorkerFactory + 740 fffff80002a607a4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PsGetProcessJob + 945 fffff80002a622d9 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfAcquirePushLockExclusive + 28 fffff80002a6299c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfAcquirePushLockExclusive + 225 fffff80002a62a61 1 byte {JMP 0x11} .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!PsIsSystemProcess + 401 fffff80002a64a65 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtWorkerFactoryWorkerReady + 207 fffff80002a64c4f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtWorkerFactoryWorkerReady + 275 fffff80002a64c93 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!ExfReleasePushLockShared + 8 fffff80002a6615c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedPopEntrySList + 7 fffff80002a682e7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedPopEntrySList + 62 fffff80002a6831e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedPushEntrySList + 3 fffff80002a68363 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedFlushSList + 3 fffff80002a683f3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedFlushSList + 99 fffff80002a68453 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExInterlockedInsertHeadList + 2 fffff80002a685b2 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExInterlockedInsertTailList + 2 fffff80002a68612 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExInterlockedPushEntryList + 2 fffff80002a68722 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!memset + 329 fffff80002a726d9 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeWaitForMultipleObjects + 194 fffff80002a749e2 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeWaitForMultipleObjects + 774 fffff80002a74c26 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireResourceExclusiveLite + 101 fffff80002a761c5 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel + 46 fffff80002a7639e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel + 722 fffff80002a76642 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeDelayExecutionThread + 95 fffff80002a76d5b 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireResourceSharedLite + 92 fffff80002a76ffc 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeWaitForMutexObject + 112 fffff80002a77d70 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeWaitForMutexObject + 756 fffff80002a77ff4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeRemoveQueueEx + 107 fffff80002a7841b 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseInStackQueuedSpinLock + 46 fffff80002a7a46e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExQueryDepthSList + 495 fffff80002a7a6cf 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExQueryDepthSList + 781 fffff80002a7a7ed 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeUpdateSystemTime + 957 fffff80002a7ac2d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInterlockedSetProcessorAffinityEx + 44 fffff80002a7ad6c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInterlockedClearProcessorAffinityEx + 50 fffff80002a7add2 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseMutant + 152 fffff80002a7b2b8 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeSetTimer + 170 fffff80002a7be3e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeSetTimer + 513 fffff80002a7bf95 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeUpdateRunTime + 248 fffff80002a7c6f8 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoFreeWorkItem + 507 fffff80002a80063 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExIsResourceAcquiredExclusiveLite + 62 fffff80002a81c8e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExIsResourceAcquiredExclusiveLite + 170 fffff80002a81cfa 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!IoGetRelatedDeviceObject + 850 fffff80002a84242 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoGetIoPriorityHint + 822 fffff80002a848b6 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoGetIoPriorityHint + 946 fffff80002a84932 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlCopyUnicodeString + 358 fffff80002a873a6 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlCopyUnicodeString + 762 fffff80002a8753a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetParallelFlushFile + 220 fffff80002a8919c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcInitializeCacheMap + 511 fffff80002a8968f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcUninitializeCacheMap + 470 fffff80002a8a286 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcUninitializeCacheMap + 625 fffff80002a8a321 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!ExIsResourceAcquiredSharedLite + 108 fffff80002a8b15c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!MmUnlockPages + 854 fffff80002a8e9c6 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoReleaseCancelSpinLock + 56 fffff80002a8ffb8 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExReleaseRundownProtection + 575 fffff80002a90273 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExReleaseRundownProtection + 597 fffff80002a90289 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireSharedStarveExclusive + 94 fffff80002a927de 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ObDereferenceObjectDeferDelete + 247 fffff80002a940f7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ObDereferenceObjectDeferDelete + 694 fffff80002a942b6 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetDirtyPinnedData + 576 fffff80002a96a10 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetFileSizesEx + 330 fffff80002a97656 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetFileSizesEx + 594 fffff80002a9775e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseQueuedSpinLock + 63 fffff80002a97a4f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoSetIoPriorityHint + 66 fffff80002a980f2 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlDissectName + 385 fffff80002a9acf1 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlLookupFunctionEntry + 148 fffff80002a9b724 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeRestoreFloatingPointState + 639 fffff80002a9e6df 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfAcquirePushLockShared + 28 fffff80002aa169c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfAcquirePushLockShared + 183 fffff80002aa1737 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeUnstackDetachProcess + 594 fffff80002aa1ad2 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcFlushCache + 393 fffff80002ab25c9 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlLookupPerStreamContextInternal + 160 fffff80002aba090 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlLookupPerStreamContextInternal + 449 fffff80002aba1b1 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExDisableResourceBoostLite + 28 fffff80002abb4f4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireSpinLockSharedAtDpcLevel + 85 fffff80002abe431 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!EtwSetInformation + 839 fffff80002ac6327 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfTryAcquirePushLockShared + 4 fffff80002afd824 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ObIsKernelHandle + 913 fffff80002b03461 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!EtwProviderEnabled + 254 fffff80002b0a30e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!EtwProviderEnabled + 909 fffff80002b0a59d 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!KeTryToAcquireQueuedSpinLockRaiseToSynch + 104 fffff80002b173e8 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlFastCheckLockForRead + 633 fffff80002b1f039 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlFastCheckLockForRead + 749 fffff80002b1f0ad 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseGuardedMutexUnsafe + 290 fffff80002b331f2 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseGuardedMutexUnsafe + 527 fffff80002b332df 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!MmMarkPhysicalMemoryAsGood + 67 fffff80002b34f83 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExUnregisterAttributeInformationCallback + 283 fffff80002b391fb 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExUnregisterAttributeInformationCallback + 343 fffff80002b39237 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlTraceDatabaseValidate + 386 fffff80002b39c12 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlTraceDatabaseValidate + 469 fffff80002b39c65 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!RtlSizeHeap + 26 fffff80002b3b33a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!MmMarkPhysicalMemoryAsBad + 848 fffff80002b4d550 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!MmAdvanceMdl + 428 fffff80002b56a4c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!MmAdvanceMdl + 493 fffff80002b56a8d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoWriteErrorLogEntry + 768 fffff80002b59950 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoWriteErrorLogEntry + 829 fffff80002b5998d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlLookupPerFileContext + 170 fffff80002b5c6ba 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!EtwSendTraceBuffer + 311 fffff80002b5c877 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!EtwSendTraceBuffer + 655 fffff80002b5c9cf 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlRemovePerStreamContext + 270 fffff80002b5cb6e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlRemovePerFileContext + 188 fffff80002b5ccfc 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!WmiTraceMessageVa + 531 fffff80002b5cf93 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!WmiTraceMessageVa + 770 fffff80002b5d082 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlPcToFileHeader + 111 fffff80002b5e63f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeEnterKernelDebugger + 268 fffff80002b62b0c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!MmFreePagesFromMdl + 524 fffff80002b6a76c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!MmFreePagesFromMdl + 611 fffff80002b6a7c3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoApplyPriorityInfoThread + 454 fffff80002b6b296 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcUnpinRepinnedBcb + 203 fffff80002b6ddbb 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcMdlWriteAbort + 791 fffff80002b6e217 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcMdlWriteAbort + 819 fffff80002b6e233 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlFastUnlockAllByKey + 152 fffff80002b7ade8 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlFastUnlockAllByKey + 296 fffff80002b7ae78 1 byte [1F] .text ... * 3 .text C:\Windows\system32\ntoskrnl.exe!IoRaiseHardError + 275 fffff80002b882f3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoRaiseHardError + 483 fffff80002b883c3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtQueryInformationWorkerFactory + 540 fffff80002b917fc 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlInsertPerFileContext + 187 fffff80002b9197b 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoTranslateBusAddress + 707 fffff80002b921f3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PoRequestPowerIrp + 584 fffff80002b93b88 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlCreateSectionForDataScan + 996 fffff80002b9d3e4 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAreMappedFilesTheSame + 250 fffff80002cc7a2a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSuspendThread + 247 fffff80002cc8293 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSuspendThread + 353 fffff80002cc82fd 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtGetContextThread + 283 fffff80002cc846f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlNotifyCleanup + 963 fffff80002cc8b33 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAddAtom + 859 fffff80002cca907 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteFile + 596 fffff80002cced14 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoGetDeviceProperty + 776 fffff80002cdd320 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoGetDeviceProperty + 997 fffff80002cdd3fd 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreatePrivateNamespace + 483 fffff80002cddb07 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlDeleteKeyFromTunnelCache + 462 fffff80002cde376 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ProbeForRead + 162 fffff80002cde666 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ProbeForRead + 568 fffff80002cde7fc 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlDuplicateUnicodeString + 555 fffff80002cec0eb 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteKey + 378 fffff80002ceca22 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!TmPrePrepareEnlistment + 475 fffff80002cefebb 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!TmPrePrepareEnlistment + 691 fffff80002ceff93 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!NtRecoverResourceManager + 987 fffff80002cf3383 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSystemDebugControl + 654 fffff80002cfd54a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSystemDebugControl + 896 fffff80002cfd63c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlOplockBreakH + 711 fffff80002cff6f7 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenPrivateNamespace + 258 fffff80002d03d56 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenPrivateNamespace + 400 fffff80002d03de4 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObMakeTemporaryObject + 53 fffff80002d048c5 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObFindHandleForObject + 121 fffff80002d04c09 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExEnumHandleTable + 102 fffff80002d04cf6 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObSetSecurityDescriptorInfo + 264 fffff80002d07190 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObSetSecurityDescriptorInfo + 354 fffff80002d071ea 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcCreateSectionView + 365 fffff80002d07aad 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcCreateSectionView + 407 fffff80002d07ad7 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!RtlCompareUnicodeString + 547 fffff80002d08f13 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlCompareUnicodeString + 728 fffff80002d08fc8 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoGetIrpExtraCreateParameter + 196 fffff80002d094f4 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtFlushKey + 353 fffff80002d0cc4d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeReleaseSubjectContext + 205 fffff80002d0d74d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeReleaseSubjectContext + 238 fffff80002d0d76e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcDeleteSecurityContext + 204 fffff80002d0dbf0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAccessCheckByTypeAndAuditAlarm + 236 fffff80002d0e0a0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAccessCheckByTypeAndAuditAlarm + 460 fffff80002d0e180 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!ObSetHandleAttributes + 307 fffff80002d1092f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsSetThreadWin32Thread + 187 fffff80002d10a6f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsSetThreadWin32Thread + 373 fffff80002d10b29 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!MmSecureVirtualMemory + 114 fffff80002d121b6 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsSetProcessWin32Process + 736 fffff80002d139d4 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsSetProcessWin32Process + 898 fffff80002d13a76 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlRunOnceBeginInitialize + 50 fffff80002d15d4e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlRunOnceBeginInitialize + 828 fffff80002d16058 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!PsReferenceProcessFilePointer + 34 fffff80002d16c26 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsReferenceProcessFilePointer + 103 fffff80002d16c6b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQuerySymbolicLinkObject + 464 fffff80002d193f0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeTokenType + 676 fffff80002d1ffe0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeTokenType + 753 fffff80002d2002d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtShutdownWorkerFactory + 227 fffff80002d258af 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAssignProcessToJobObject + 184 fffff80002d267e4 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAssignProcessToJobObject + 367 fffff80002d2689b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcDisconnectPort + 307 fffff80002d27ff7 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcDisconnectPort + 470 fffff80002d2809a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtTerminateProcess + 175 fffff80002d282af 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtTerminateProcess + 237 fffff80002d282ed 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcDeleteSectionView + 191 fffff80002d2864f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAcceptConnectPort + 343 fffff80002d29297 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 123 fffff80002d29e97 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 471 fffff80002d29ff3 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcOpenSenderThread + 558 fffff80002d2b22e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcOpenSenderThread + 717 fffff80002d2b2cd 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!MmLockPagableSectionByHandle + 456 fffff80002d2b6f8 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!MmLockPagableSectionByHandle + 588 fffff80002d2b77c 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!LpcRequestPort + 315 fffff80002d2c793 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSetInformationThread + 978 fffff80002d38ac2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenProcess + 289 fffff80002d42711 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcQueryInformationMessage + 604 fffff80002d42c1c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcImpersonateClientOfPort + 388 fffff80002d42fd4 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlCopySidAndAttributesArray + 696 fffff80002d43e1c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlCopySidAndAttributesArray + 905 fffff80002d43eed 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDuplicateObject + 751 fffff80002d4942f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreateSection + 434 fffff80002d4b0b2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeCreateClientSecurity + 571 fffff80002d4bdc3 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeCreateClientSecurity + 631 fffff80002d4bdff 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObReferenceObjectByName + 305 fffff80002d4d241 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObOpenObjectByPointer + 371 fffff80002d4da87 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlGetFileSize + 349 fffff80002d50511 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryObject + 963 fffff80002d51c63 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcOpenSenderProcess + 558 fffff80002d53a3e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcOpenSenderProcess + 750 fffff80002d53afe 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtAccessCheckAndAuditAlarm + 562 fffff80002d5507e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAccessCheckAndAuditAlarm + 669 fffff80002d550e9 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!RtlAnsiStringToUnicodeString + 538 fffff80002d56c9a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlAnsiStringToUnicodeString + 932 fffff80002d56e24 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlGUIDFromString + 535 fffff80002d5785b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExQueryAttributeInformation + 27 fffff80002d58137 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExQueryAttributeInformation + 78 fffff80002d5816a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcSetInformation + 382 fffff80002d5843a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcSetInformation + 832 fffff80002d585fc 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlertThread + 766 fffff80002d58e7e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlertThread + 918 fffff80002d58f16 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcCreatePort + 645 fffff80002d594cd 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcCreatePort + 771 fffff80002d5954b 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcCreateResourceReserve + 315 fffff80002d597d3 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObLogSecurityDescriptor + 261 fffff80002d5c2b5 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlAreAllAccessesGranted + 697 fffff80002d5d7ed 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlAreAllAccessesGranted + 961 fffff80002d5d8f5 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreateThreadEx + 715 fffff80002d6335f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObReferenceObjectByHandleWithTag + 229 fffff80002d68d75 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObReferenceObjectByHandleWithTag + 265 fffff80002d68d99 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtDelayExecution + 401 fffff80002d69315 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtWaitForMultipleObjects + 562 fffff80002d6993a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcSendWaitReceivePort + 967 fffff80002d81f57 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtWriteFile + 217 fffff80002d87ea9 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlGetEcpListFromIrp + 714 fffff80002d8948e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlGetEcpListFromIrp + 875 fffff80002d8952f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObDereferenceSecurityDescriptor + 592 fffff80002d8c6b0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObDereferenceSecurityDescriptor + 684 fffff80002d8c70c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenMutant + 498 fffff80002d8f3b6 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenMutant + 623 fffff80002d8f433 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtQuerySection + 406 fffff80002d920b2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQuerySection + 523 fffff80002d92127 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtDeletePrivateNamespace + 465 fffff80002d93291 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeletePrivateNamespace + 593 fffff80002d93311 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!MmGetSystemRoutineAddress + 232 fffff80002d9735c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoSetIoCompletion + 484 fffff80002d97c18 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsAcquireProcessExitSynchronization + 12 fffff80002df470c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExRaiseDatatypeMisalignment + 499 fffff80002e02e93 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExRaiseDatatypeMisalignment + 571 fffff80002e02edb 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!PsReleaseProcessExitSynchronization + 12 fffff80002e02fbc 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsSetCurrentThreadPrefetching + 148 fffff80002e04b74 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsSetCurrentThreadPrefetching + 579 fffff80002e04d23 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!RtlRunOnceComplete + 103 fffff80002e07357 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoDeleteController + 699 fffff80002e0d44b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!MmUnmapViewInSessionSpace + 214 fffff80002e20f56 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!MmUnmapViewInSessionSpace + 375 fffff80002e20ff7 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcRevokeSecurityContext + 223 fffff80002e4613f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtThawTransactions + 920 fffff80002e4a008 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUnloadDriver + 491 fffff80002e55abb 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUnloadDriver + 658 fffff80002e55b62 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtReplyWaitReplyPort + 450 fffff80002e64202 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtReplyWaitReplyPort + 889 fffff80002e643b9 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryEnvironmentVariableInfoEx + 481 fffff80002e64ba1 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryEnvironmentVariableInfoEx + 945 fffff80002e64d71 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExGetLicenseTamperState + 903 fffff80002e65217 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoRegisterFileSystem + 679 fffff80002e662a7 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExSetLicenseTamperState + 835 fffff80002e690b3 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsResumeProcess + 38 fffff80002e69f06 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsResumeProcess + 128 fffff80002e69f60 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsQueryProcessExceptionFlags + 187 fffff80002e6a08b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsQueryProcessExceptionFlags + 414 fffff80002e6a16e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsSuspendProcess + 38 fffff80002e6a526 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsSuspendProcess + 130 fffff80002e6a582 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!PoUserShutdownInitiated + 589 fffff80002e6a9fd 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoWMIAllocateInstanceIds + 476 fffff80002e726fc 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObUnRegisterCallbacks + 136 fffff80002e82ef8 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObUnRegisterCallbacks + 686 fffff80002e8311e 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!ObCreateObjectType + 567 fffff80002e83bd7 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObCreateObjectType + 809 fffff80002e83cc9 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!EmClientRuleEvaluate + 294 fffff80002e84576 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtMapUserPhysicalPagesScatter + 845 fffff80002e8839d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtMapUserPhysicalPages + 715 fffff80002e88b2b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSetTimerResolution + 121 fffff80002ea07d9 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSetTimerResolution + 208 fffff80002ea0830 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtStopProfile + 615 fffff80002ea55f7 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtStopProfile + 738 fffff80002ea5672 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!CmCallbackGetKeyObjectID + 208 fffff80002ea5aa0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtLockRegistryKey + 662 fffff80002ea78a6 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtLockRegistryKey + 783 fffff80002ea791f 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!ExRaiseHardError + 976 fffff80002ea9000 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeFilterToken + 496 fffff80002eac4a0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeFilterToken + 653 fffff80002eac53d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtMakePermanentObject + 151 fffff80002eb0b37 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoUnregisterContainerNotification + 130 fffff80002eb10e2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!CmSetCallbackObjectContext + 231 fffff80002eb1247 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!CmSetCallbackObjectContext + 553 fffff80002eb1389 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!ObRegisterCallbacks + 525 fffff80002eb213d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!CmUnRegisterCallback + 272 fffff80002eb3590 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!CmUnRegisterCallback + 505 fffff80002eb3679 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!IoRegisterContainerNotification + 352 fffff80002eb59e0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDebugActiveProcess + 268 fffff80002ec958c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDebugActiveProcess + 369 fffff80002ec95f1 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCompressKey + 544 fffff80002efabc0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCompressKey + 617 fffff80002efac09 1 byte [1F] .text C:\Windows\system32\hal.dll!HalQueryMaximumProcessorCount + 91 fffff80002ff9b3b 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltReleasePushLock + 5 fffff88000e59715 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltPerformAsynchronousIo + 837 fffff88000e5e4b5 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltGetInstanceContext + 148 fffff88000e5f014 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltDeleteInstanceContext + 98 fffff88000e5fe52 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltDeleteInstanceContext + 232 fffff88000e5fed8 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltSendMessage + 187 fffff88000e65cdb 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltQueueGenericWorkItem + 794 fffff88000e66f0a 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltQueueGenericWorkItem + 930 fffff88000e66f92 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltSetInstanceContext + 482 fffff88000e67222 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltGetStreamContext + 760 fffff88000e68078 1 byte [1F] PAGE C:\Windows\system32\drivers\fltmgr.sys!FltCloseClientPort + 65 fffff88000e89aa1 1 byte [1F] .text C:\Windows\system32\drivers\NETIO.SYS!KfdCheckClassifyNeededAndUpdateEpoch + 97 fffff88001743011 1 byte [1F] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\KERNELBASE.dll!GetLocaleInfoW + 472 000007fefd48ee18 1 byte [1F] .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!wcscspn + 182 0000000077497e3e 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 739 00000000774a3c13 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 881 00000000774a3ca1 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\services.exe[532] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd5f2930 5 bytes JMP 000007febceb0358 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000077395354 7 bytes JMP 00000000374d1498 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077396ee0 8 bytes JMP 00000000374d1018 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077398164 7 bytes JMP 00000000374d12b8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetParent 0000000077398500 8 bytes JMP 00000000374d1078 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077399bb0 6 bytes JMP 00000000374d07d8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!PostMessageA 000000007739a3d8 5 bytes JMP 00000000374d0958 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!EnableWindow 000000007739aa84 9 bytes JMP 00000000374d1378 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!MoveWindow 000000007739aab0 8 bytes JMP 00000000374d10d8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 000000007739b4e8 6 bytes JMP 00000000374d0898 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007739c6dc 5 bytes JMP 00000000374d0fb8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007739cd20 8 bytes JMP 00000000374d1258 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007739d2b4 5 bytes JMP 00000000374d0a18 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendMessageA 000000007739d33c 5 bytes JMP 00000000374d0ad8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007739dc20 9 bytes JMP 00000000374d0d78 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007739f4f0 7 bytes JMP 00000000374d1318 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007739f864 9 bytes JMP 00000000374d0718 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007739fab0 9 bytes JMP 00000000374d0bf8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773a0b64 10 bytes JMP 00000000374d0a78 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000773a3380 8 bytes JMP 00000000374d0838 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000773a4d3c 5 bytes JMP 00000000374d0778 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!GetKeyState 00000000773a4ff0 5 bytes JMP 00000000374d0f58 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773a5428 1 byte JMP 00000000374d0cb8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendMessageCallbackW + 2 00000000773a542a 5 bytes {JMP 0xffffffffc012b890} .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendMessageW 00000000773a6b60 5 bytes JMP 00000000374d0b38 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 00000000773a76fc 8 bytes JMP 00000000374d08f8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!PostMessageW 00000000773a7724 7 bytes JMP 00000000374d09b8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773addcc 5 bytes JMP 00000000374d0e38 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ae884 5 bytes JMP 00000000374d11f8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773af7a0 8 bytes JMP 00000000374d1138 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773b28e4 12 bytes JMP 00000000374d0d18 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!mouse_event 00000000773b38a4 7 bytes JMP 00000000374d0658 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773b8a10 8 bytes JMP 00000000374d0ef8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773b8bd8 12 bytes JMP 00000000374d0b98 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773b8c20 12 bytes JMP 00000000374d06b8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendInput 00000000773b8cd0 8 bytes JMP 00000000374d0e98 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!BlockInput 00000000773bad50 8 bytes JMP 00000000374d1198 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!ClipCursor 00000000773bada0 8 bytes JMP 00000000374d1438 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000773e1574 5 bytes JMP 00000000374d13d8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SetSystemCursor 00000000774045f0 5 bytes JMP 00000000374d14f8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!keybd_event 0000000077404650 7 bytes JMP 00000000374d05f8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007740cccc 5 bytes JMP 00000000374d0dd8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007740dfbc 7 bytes JMP 00000000374d0c58 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb0418 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb0718 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\services.exe[532] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!wcscspn + 182 0000000077497e3e 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualDomainName + 551 00000000774a0047 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!TpCancelAsyncIoOperation + 385 000000007755a731 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\KERNELBASE.dll!GetLocaleInfoW + 472 000007fefd48ee18 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlGetUserInfoHeap + 138 000000007757808a 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\system32\KERNELBASE.dll!GetLocaleInfoW + 472 000007fefd48ee18 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!wcscspn + 182 0000000077497e3e 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlInitEnumerationHashTable + 137 0000000077498359 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 739 00000000774a3c13 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 881 00000000774a3ca1 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd5f2930 5 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb0718 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlInitEnumerationHashTable + 137 0000000077498359 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualDomainName + 551 00000000774a0047 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd5f2930 5 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb0718 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualDomainName + 551 00000000774a0047 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774dbcb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 1 byte JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 2 00000000774dc082 6 bytes {JMP 0xfffffffff8b14090} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] C:\Windows\SYSTEM32\ntdll.dll!TpCancelAsyncIoOperation + 385 000000007755a731 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpAllocCleanupGroup + 311 0000000077497987 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualDomainName + 551 00000000774a0047 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!RtlGetUserInfoHeap + 138 000000007757808a 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\atiesrxx.exe[984] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!wcscspn + 182 0000000077497e3e 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 739 00000000774a3c13 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 881 00000000774a3ca1 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!wcscspn + 182 0000000077497e3e 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualDomainName + 551 00000000774a0047 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\DNSAPI.dll!DnsGetProxyInformation + 110 000007fefc705f7a 1 byte [1F] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\DNSAPI.dll!DnsGetProxyInformation + 138 000007fefc705f96 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!wcscspn + 182 0000000077497e3e 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualDomainName + 551 00000000774a0047 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 739 00000000774a3c13 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 881 00000000774a3ca1 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlSetThreadPreferredUILanguages + 610 00000000774c55a2 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!TpReleasePool + 157 00000000774d366d 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd5f2930 5 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb0718 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\DNSAPI.dll!DnsGetProxyInformation + 110 000007fefc705f7a 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\DNSAPI.dll!DnsGetProxyInformation + 138 000007fefc705f96 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] c:\windows\system32\ESENT.dll!JetSetSystemParameter + 226 000007fef86d2b92 1 byte [1F] .text C:\Windows\system32\svchost.exe[644] c:\windows\system32\ESENT.dll!JetSetSystemParameter + 350 000007fef86d2c0e 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[644] c:\windows\system32\ESENT.dll!DebugExtensionNotify + 687 000007fef86fa50f 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\atieclxx.exe[1220] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\System32\spoolsv.exe[1268] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 739 00000000774a3c13 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 881 00000000774a3ca1 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimerQueueEx + 211 000000007755ae23 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd5f2930 5 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb0718 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9f0 5 bytes JMP 0000000073a02e50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007768fb38 5 bytes JMP 00000000739f83f0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fcc0 5 bytes JMP 00000000739f7990 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd74 5 bytes JMP 00000000739f90a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fdd8 5 bytes JMP 00000000739f8790 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fed0 5 bytes JMP 00000000739fabb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007768ff84 5 bytes JMP 00000000739f6c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ffb4 5 bytes JMP 00000000739f89a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077690014 5 bytes JMP 00000000739f7550 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690094 5 bytes JMP 00000000739f77a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776900c4 5 bytes JMP 00000000739f8d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776903c8 5 bytes JMP 00000000739fa0a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776903e0 5 bytes JMP 00000000739fb970 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690560 5 bytes JMP 00000000739fb690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776906a4 5 bytes JMP 00000000739f7b80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077690704 5 bytes JMP 00000000739fba80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776907ac 5 bytes JMP 00000000739f6af0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776907f4 5 bytes JMP 00000000739fbb90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077690884 5 bytes JMP 00000000739f6d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769089c 5 bytes JMP 00000000739fae80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776908b4 5 bytes JMP 00000000739fa5d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690e04 5 bytes JMP 00000000739f7df0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690ee8 5 bytes JMP 00000000739f8200 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bf4 5 bytes JMP 00000000739f7ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691cc4 5 bytes JMP 00000000739faa60 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d9c 5 bytes JMP 00000000739f85e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776ac0f0 7 bytes JMP 0000000073a02cd0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b73be3 5 bytes JMP 00000000739f5520 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b79ae4 5 bytes JMP 00000000739eefe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b83baa 7 bytes JMP 00000000739efba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b8cd11 5 bytes JMP 00000000739eecd0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076bddda6 7 bytes JMP 00000000739ef210 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076bdde49 7 bytes JMP 00000000739ef520 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f8a7 5 bytes JMP 0000000073a02cb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076f9fcda 5 bytes JMP 00000000739f6400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076fa2e0b 4 bytes {CALL QWORD [RIP+0x6e7f000a]} .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\DbxSvc.exe[1528] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpAllocCleanupGroup + 311 0000000077497987 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualDomainName + 551 00000000774a0047 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\System32\svchost.exe[1576] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\ESENT.dll!JetSetSystemParameter + 226 000007fef86d2b92 1 byte [1F] .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\ESENT.dll!JetSetSystemParameter + 350 000007fef86d2c0e 1 byte [1F] .text ... * 2 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\system32\ESENT.dll!DebugExtensionNotify + 687 000007fef86fa50f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualDomainName + 551 00000000774a0047 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!TpCancelAsyncIoOperation + 385 000000007755a731 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9f0 5 bytes JMP 0000000073a02e50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007768fb38 5 bytes JMP 00000000739f83f0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fcc0 5 bytes JMP 00000000739f7990 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd74 5 bytes JMP 00000000739f90a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fdd8 5 bytes JMP 00000000739f8790 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fed0 5 bytes JMP 00000000739fabb0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007768ff84 5 bytes JMP 00000000739f6c00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ffb4 5 bytes JMP 00000000739f89a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077690014 5 bytes JMP 00000000739f7550 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690094 5 bytes JMP 00000000739f77a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776900c4 5 bytes JMP 00000000739f8d50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776903c8 5 bytes JMP 00000000739fa0a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776903e0 5 bytes JMP 00000000739fb970 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690560 5 bytes JMP 00000000739fb690 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776906a4 5 bytes JMP 00000000739f7b80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077690704 5 bytes JMP 00000000739fba80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776907ac 5 bytes JMP 00000000739f6af0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776907f4 5 bytes JMP 00000000739fbb90 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077690884 5 bytes JMP 00000000739f6d10 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769089c 5 bytes JMP 00000000739fae80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776908b4 5 bytes JMP 00000000739fa5d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690e04 5 bytes JMP 00000000739f7df0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690ee8 5 bytes JMP 00000000739f8200 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bf4 5 bytes JMP 00000000739f7ff0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691cc4 5 bytes JMP 00000000739faa60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d9c 5 bytes JMP 00000000739f85e0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776ac0f0 7 bytes JMP 0000000073a02cd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b73be3 5 bytes JMP 00000000739f5520 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b79ae4 5 bytes JMP 00000000739eefe0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b83baa 7 bytes JMP 00000000739efba0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b8cd11 5 bytes JMP 00000000739eecd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076bddda6 7 bytes JMP 00000000739ef210 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076bdde49 7 bytes JMP 00000000739ef520 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f8a7 5 bytes JMP 0000000073a02cb0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076f9fcda 5 bytes JMP 00000000739f6400 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076fa2e0b 4 bytes {CALL QWORD [RIP+0x6e55000a]} .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\taskeng.exe[1768] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9f0 5 bytes JMP 0000000073a02e50 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007768fb38 5 bytes JMP 00000000739f83f0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fcc0 5 bytes JMP 00000000739f7990 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd74 5 bytes JMP 00000000739f90a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fdd8 5 bytes JMP 00000000739f8790 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fed0 5 bytes JMP 00000000739fabb0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007768ff84 5 bytes JMP 00000000739f6c00 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ffb4 5 bytes JMP 00000000739f89a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077690014 5 bytes JMP 00000000739f7550 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690094 5 bytes JMP 00000000739f77a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776900c4 5 bytes JMP 00000000739f8d50 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776903c8 5 bytes JMP 00000000739fa0a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776903e0 5 bytes JMP 00000000739fb970 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690560 5 bytes JMP 00000000739fb690 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776906a4 5 bytes JMP 00000000739f7b80 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077690704 5 bytes JMP 00000000739fba80 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776907ac 5 bytes JMP 00000000739f6af0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776907f4 5 bytes JMP 00000000739fbb90 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077690884 5 bytes JMP 00000000739f6d10 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769089c 5 bytes JMP 00000000739fae80 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776908b4 5 bytes JMP 00000000739fa5d0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690e04 5 bytes JMP 00000000739f7df0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690ee8 5 bytes JMP 00000000739f8200 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bf4 5 bytes JMP 00000000739f7ff0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691cc4 5 bytes JMP 00000000739faa60 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d9c 5 bytes JMP 00000000739f85e0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776ac0f0 7 bytes JMP 0000000073a02cd0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b73be3 5 bytes JMP 00000000739f5520 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b79ae4 5 bytes JMP 00000000739eefe0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b83baa 7 bytes JMP 00000000739efba0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b8cd11 5 bytes JMP 00000000739eecd0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076bddda6 7 bytes JMP 00000000739ef210 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076bdde49 7 bytes JMP 00000000739ef520 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f8a7 5 bytes JMP 0000000073a02cb0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076f9fcda 5 bytes JMP 00000000739f6400 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076fa2e0b 4 bytes {CALL QWORD [RIP+0x6d8e000a]} .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000768f8342 5 bytes JMP 0000000073a03de0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000768f8c0f 5 bytes JMP 0000000073a04750 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768f90e3 7 bytes JMP 0000000073a03800 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000768f9689 5 bytes JMP 0000000073a04c40 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768f97e2 5 bytes JMP 0000000073a051a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768fee19 5 bytes JMP 0000000073a039d0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000768fefd9 5 bytes JMP 0000000073a078d0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769012b5 5 bytes JMP 0000000073a04260 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007690292f 5 bytes JMP 0000000073a06860 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SetParent 0000000076902d74 5 bytes JMP 0000000073a07130 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076902db4 5 bytes JMP 0000000073a07af0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000769036a8 5 bytes JMP 0000000073a06f10 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076903bba 5 bytes JMP 0000000073a03fc0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076903c71 5 bytes JMP 0000000073a04500 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076906120 5 bytes JMP 0000000073a03c00 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007690613e 5 bytes JMP 0000000073a049a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076906c40 7 bytes JMP 0000000073a03620 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076907613 5 bytes JMP 0000000073a03300 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076907678 5 bytes JMP 0000000073a05c30 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769076f0 5 bytes JMP 0000000073a05700 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007690782f 5 bytes JMP 0000000073a04ee0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007690836c 5 bytes JMP 0000000073a03040 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007690c4c6 5 bytes JMP 0000000073a07320 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076911363 5 bytes JMP 0000000073a07f00 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007691c122 5 bytes JMP 0000000073a05ec0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007691d109 5 bytes JMP 0000000073a06110 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007691ebb6 5 bytes JMP 0000000073a06ad0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007691ec88 5 bytes JMP 0000000073a065c0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendInput 000000007691ff6a 5 bytes JMP 0000000073a06360 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000769398ec 5 bytes JMP 0000000073a08160 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076939fdb 5 bytes JMP 0000000073a076c0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007694156b 5 bytes JMP 0000000073a07d20 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000769502cd 5 bytes JMP 0000000073a08300 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076950343 5 bytes JMP 00000000739f0af0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076950387 5 bytes JMP 00000000739f0920 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076956dc4 5 bytes JMP 0000000073a05460 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076956e25 5 bytes JMP 0000000073a059a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076957e9f 5 bytes JMP 0000000073a074f0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769589b3 5 bytes JMP 0000000073a06d30 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1836] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763c9cbb 5 bytes JMP 00000000739fc2e0 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!wcscspn + 182 0000000077497e3e 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlInitEnumerationHashTable + 137 0000000077498359 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 190 000000007749bd3e 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 739 00000000774a3c13 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentStrings + 881 00000000774a3ca1 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlGetUserInfoHeap + 138 000000007757808a 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlGetUserInfoHeap + 435 00000000775781b3 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\KERNELBASE.dll!GetLocaleInfoW + 472 000007fefd48ee18 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\Explorer.EXE[1976] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2100] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\conhost.exe[2136] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 396 000000007749bf1c 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForTimer + 293 000000007749d105 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteTimer + 211 000000007749d263 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!TpReleasePool + 157 00000000774d366d 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 00000000374d0238 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 1 byte JMP 00000000374d0358 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileW + 2 00000000772ff7d2 8 bytes {JMP 0xffffffffc01d0b88} .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000374d02f8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files\CCleaner\CCleaner64.exe[2524] C:\Windows\system32\ESENT.dll!DebugExtensionNotify + 687 000007fef86fa50f 1 byte [1F] .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9f0 5 bytes JMP 0000000073a02e50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007768fb38 5 bytes JMP 00000000739f83f0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fcc0 5 bytes JMP 00000000739f7990 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd74 5 bytes JMP 00000000739f90a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fdd8 5 bytes JMP 00000000739f8790 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fed0 5 bytes JMP 00000000739fabb0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007768ff84 5 bytes JMP 00000000739f6c00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ffb4 5 bytes JMP 00000000739f89a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077690014 5 bytes JMP 00000000739f7550 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690094 5 bytes JMP 00000000739f77a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776900c4 5 bytes JMP 00000000739f8d50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776903c8 5 bytes JMP 00000000739fa0a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776903e0 5 bytes JMP 00000000739fb970 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690560 5 bytes JMP 00000000739fb690 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776906a4 5 bytes JMP 00000000739f7b80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077690704 5 bytes JMP 00000000739fba80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776907ac 5 bytes JMP 00000000739f6af0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776907f4 5 bytes JMP 00000000739fbb90 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077690884 5 bytes JMP 00000000739f6d10 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769089c 5 bytes JMP 00000000739fae80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776908b4 5 bytes JMP 00000000739fa5d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690e04 5 bytes JMP 00000000739f7df0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690ee8 5 bytes JMP 00000000739f8200 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bf4 5 bytes JMP 00000000739f7ff0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691cc4 5 bytes JMP 00000000739faa60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d9c 5 bytes JMP 00000000739f85e0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776ac0f0 7 bytes JMP 0000000073a02cd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b73be3 5 bytes JMP 00000000739f5520 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b79ae4 5 bytes JMP 00000000739eefe0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b83baa 7 bytes JMP 00000000739efba0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b8cd11 5 bytes JMP 00000000739eecd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076bddda6 7 bytes JMP 00000000739ef210 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076bdde49 7 bytes JMP 00000000739ef520 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f8a7 5 bytes JMP 0000000073a02cb0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076f9fcda 5 bytes JMP 00000000739f6400 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076fa2e0b 4 bytes CALL 6f340000 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000768f8342 5 bytes JMP 0000000073a03de0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000768f8c0f 5 bytes JMP 0000000073a04750 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768f90e3 7 bytes JMP 0000000073a03800 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000768f9689 5 bytes JMP 0000000073a04c40 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768f97e2 5 bytes JMP 0000000073a051a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768fee19 5 bytes JMP 0000000073a039d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000768fefd9 5 bytes JMP 0000000073a078d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769012b5 5 bytes JMP 0000000073a04260 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007690292f 5 bytes JMP 0000000073a06860 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SetParent 0000000076902d74 5 bytes JMP 0000000073a07130 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076902db4 5 bytes JMP 0000000073a07af0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000769036a8 5 bytes JMP 0000000073a06f10 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076903bba 5 bytes JMP 0000000073a03fc0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076903c71 5 bytes JMP 0000000073a04500 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076906120 5 bytes JMP 0000000073a03c00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007690613e 5 bytes JMP 0000000073a049a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076906c40 7 bytes JMP 0000000073a03620 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076907613 5 bytes JMP 0000000073a03300 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076907678 5 bytes JMP 0000000073a05c30 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769076f0 5 bytes JMP 0000000073a05700 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007690782f 5 bytes JMP 0000000073a04ee0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007690836c 5 bytes JMP 0000000073a03040 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007690c4c6 5 bytes JMP 0000000073a07320 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076911363 5 bytes JMP 0000000073a07f00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007691c122 5 bytes JMP 0000000073a05ec0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007691d109 5 bytes JMP 0000000073a06110 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007691ebb6 5 bytes JMP 0000000073a06ad0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007691ec88 5 bytes JMP 0000000073a065c0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendInput 000000007691ff6a 5 bytes JMP 0000000073a06360 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000769398ec 5 bytes JMP 0000000073a08160 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076939fdb 5 bytes JMP 0000000073a076c0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007694156b 5 bytes JMP 0000000073a07d20 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000769502cd 5 bytes JMP 0000000073a08300 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076950343 5 bytes JMP 00000000739f0af0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076950387 5 bytes JMP 00000000739f0920 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076956dc4 5 bytes JMP 0000000073a05460 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076956e25 5 bytes JMP 0000000073a059a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076957e9f 5 bytes JMP 0000000073a074f0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769589b3 5 bytes JMP 0000000073a06d30 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2644] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763c9cbb 5 bytes JMP 00000000739fc2e0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9f0 5 bytes JMP 0000000073a02e50 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007768fb38 5 bytes JMP 00000000739f83f0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fcc0 5 bytes JMP 00000000739f7990 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd74 5 bytes JMP 00000000739f90a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fdd8 5 bytes JMP 00000000739f8790 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fed0 5 bytes JMP 00000000739fabb0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007768ff84 5 bytes JMP 00000000739f6c00 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ffb4 5 bytes JMP 00000000739f89a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077690014 5 bytes JMP 00000000739f7550 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690094 5 bytes JMP 00000000739f77a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776900c4 5 bytes JMP 00000000739f8d50 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776903c8 5 bytes JMP 00000000739fa0a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776903e0 5 bytes JMP 00000000739fb970 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690560 5 bytes JMP 00000000739fb690 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776906a4 5 bytes JMP 00000000739f7b80 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077690704 5 bytes JMP 00000000739fba80 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776907ac 5 bytes JMP 00000000739f6af0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776907f4 5 bytes JMP 00000000739fbb90 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077690884 5 bytes JMP 00000000739f6d10 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769089c 5 bytes JMP 00000000739fae80 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776908b4 5 bytes JMP 00000000739fa5d0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690e04 5 bytes JMP 00000000739f7df0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690ee8 5 bytes JMP 00000000739f8200 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bf4 5 bytes JMP 00000000739f7ff0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691cc4 5 bytes JMP 00000000739faa60 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d9c 5 bytes JMP 00000000739f85e0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776ac0f0 7 bytes JMP 0000000073a02cd0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b73be3 5 bytes JMP 00000000739f5520 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b79ae4 5 bytes JMP 00000000739eefe0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b83baa 7 bytes JMP 00000000739efba0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b8cd11 5 bytes JMP 00000000739eecd0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076bddda6 7 bytes JMP 00000000739ef210 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076bdde49 7 bytes JMP 00000000739ef520 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f8a7 5 bytes JMP 0000000073a02cb0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076f9fcda 5 bytes JMP 00000000739f6400 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076fa2e0b 4 bytes {CALL QWORD [RIP+0x6daf000a]} .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000768f8342 5 bytes JMP 0000000073a03de0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000768f8c0f 5 bytes JMP 0000000073a04750 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768f90e3 7 bytes JMP 0000000073a03800 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000768f9689 5 bytes JMP 0000000073a04c40 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768f97e2 5 bytes JMP 0000000073a051a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768fee19 5 bytes JMP 0000000073a039d0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000768fefd9 5 bytes JMP 0000000073a078d0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769012b5 5 bytes JMP 0000000073a04260 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007690292f 5 bytes JMP 0000000073a06860 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SetParent 0000000076902d74 5 bytes JMP 0000000073a07130 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076902db4 5 bytes JMP 0000000073a07af0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000769036a8 5 bytes JMP 0000000073a06f10 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076903bba 5 bytes JMP 0000000073a03fc0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076903c71 5 bytes JMP 0000000073a04500 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076906120 5 bytes JMP 0000000073a03c00 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007690613e 5 bytes JMP 0000000073a049a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076906c40 7 bytes JMP 0000000073a03620 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076907613 5 bytes JMP 0000000073a03300 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076907678 5 bytes JMP 0000000073a05c30 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769076f0 5 bytes JMP 0000000073a05700 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007690782f 5 bytes JMP 0000000073a04ee0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007690836c 5 bytes JMP 0000000073a03040 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007690c4c6 5 bytes JMP 0000000073a07320 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076911363 5 bytes JMP 0000000073a07f00 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007691c122 5 bytes JMP 0000000073a05ec0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007691d109 5 bytes JMP 0000000073a06110 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007691ebb6 5 bytes JMP 0000000073a06ad0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007691ec88 5 bytes JMP 0000000073a065c0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendInput 000000007691ff6a 5 bytes JMP 0000000073a06360 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000769398ec 5 bytes JMP 0000000073a08160 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076939fdb 5 bytes JMP 0000000073a076c0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007694156b 5 bytes JMP 0000000073a07d20 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000769502cd 5 bytes JMP 0000000073a08300 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076950343 5 bytes JMP 00000000739f0af0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076950387 5 bytes JMP 00000000739f0920 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076956dc4 5 bytes JMP 0000000073a05460 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076956e25 5 bytes JMP 0000000073a059a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076957e9f 5 bytes JMP 0000000073a074f0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[2672] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769589b3 5 bytes JMP 0000000073a06d30 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774dbcb0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 196 00000000774a02e4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\KERNELBASE.dll!GetLocaleInfoW + 472 000007fefd48ee18 1 byte [1F] .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\SearchIndexer.exe[2800] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3176] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlInitEnumerationHashTable + 137 0000000077498359 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 372 000000007749f1b4 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6StringToAddressW + 427 000000007749f1eb 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b5be0 5 bytes JMP 000000006fff00d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774dbcb0 6 bytes {JMP QWORD [RIP+0x8c8534a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d2038 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1c18 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1eb8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1df8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1f18 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1918 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1d98 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d1a98 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774dc030 6 bytes {JMP QWORD [RIP+0x8ca4fca]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1af8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1e58 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d20f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d1858 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d17f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d1c78 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d1978 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d18b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1a38 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d19d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1f78 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d2098 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1cd8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1fd8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1d38 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d1b58 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1bb8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlGetUserInfoHeap + 138 000000007757808a 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlGetUserInfoHeap + 435 00000000775781b3 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!CopyFileW 0000000077278930 6 bytes {JMP QWORD [RIP+0x8e686ca]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077289010 13 bytes {MOV R11, 0x7feed7f5120; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 000000008001000e .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000772905e0 6 bytes {JMP QWORD [RIP+0x8dd0a1a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 00000000772c1040 6 bytes {JMP QWORD [RIP+0x8e7ffba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 10 bytes JMP 000000008009000e .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000800b000e .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!CopyFileA 0000000077305680 6 bytes {JMP QWORD [RIP+0x8dfb97a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 000000007730a2e0 6 bytes {JMP QWORD [RIP+0x8d36d1a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007730afb0 6 bytes {JMP QWORD [RIP+0x8d7604a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\kernel32.dll!WinExec 000000007730b4f0 6 bytes {JMP QWORD [RIP+0x8e15b0a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd481900 6 bytes JMP 547a1a .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd48b2d1 5 bytes {JMP QWORD [RIP+0x1ae5d2a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!GetLocaleInfoW + 472 000007fefd48ee18 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4913b0 6 bytes {JMP QWORD [RIP+0xefc4a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4913e0 6 bytes {JMP QWORD [RIP+0x27fc1a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4b3870 6 bytes {JMP QWORD [RIP+0x23d78a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4b38a0 6 bytes {JMP QWORD [RIP+0x27d75a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Program Files\Mozilla Firefox\ucrtbase.DLL!_fclose_nolock + 465 000007fef0fc67e1 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\RPCRT4.dll!MesEncodeDynBufferHandleCreate + 192 000007fefd5b8c50 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\RPCRT4.dll!I_RpcReceive + 693 000007fefd5c22f5 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000077395354 7 bytes JMP 00000000374d1738 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077396ee0 8 bytes JMP 00000000374d12b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077398164 7 bytes JMP 00000000374d1558 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetParent 0000000077398500 8 bytes JMP 00000000374d1318 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077399bb0 6 bytes JMP 00000000374d0a78 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!PostMessageA 000000007739a3d8 5 bytes JMP 00000000374d0bf8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!EnableWindow 000000007739aa84 9 bytes JMP 00000000374d1618 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!MoveWindow 000000007739aab0 8 bytes JMP 00000000374d1378 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 000000007739b4e8 6 bytes JMP 00000000374d0b38 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007739c6dc 5 bytes JMP 00000000374d1258 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007739cd20 8 bytes JMP 00000000374d14f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007739d2b4 5 bytes JMP 00000000374d0cb8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendMessageA 000000007739d33c 5 bytes JMP 00000000374d0d78 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007739dc20 9 bytes JMP 00000000374d1018 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007739f4f0 7 bytes JMP 00000000374d15b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007739f864 9 bytes JMP 00000000374d09b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007739fab0 9 bytes JMP 00000000374d0e98 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773a0b64 10 bytes JMP 00000000374d0d18 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000773a3380 8 bytes JMP 00000000374d0ad8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!PeekMessageA 00000000773a39f0 5 bytes JMP 00000000374d0778 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000773a4d3c 5 bytes JMP 00000000374d0a18 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!GetKeyState 00000000773a4ff0 5 bytes JMP 00000000374d11f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773a5428 7 bytes JMP 00000000374d0f58 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!GetMessageA 00000000773a6120 7 bytes JMP 00000000374d06b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!IsDialogMessageW 00000000773a66d0 5 bytes JMP 00000000374d08f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendMessageW 00000000773a6b60 5 bytes JMP 00000000374d0dd8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 00000000773a76fc 8 bytes JMP 00000000374d0b98 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!PostMessageW 00000000773a7724 7 bytes JMP 00000000374d0c58 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!GetWindowInfo 00000000773a8b40 13 bytes {MOV R11, 0x7feee90644c; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!PeekMessageW 00000000773a9010 5 bytes JMP 00000000374d07d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!TranslateMessage 00000000773a9740 1 byte JMP 00000000374d0838 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!TranslateMessage + 2 00000000773a9742 4 bytes {JMP 0xffffffffc01270f8} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!GetMessageW 00000000773a9ea4 6 bytes JMP 00000000374d0718 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773addcc 5 bytes JMP 00000000374d10d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ae884 5 bytes JMP 00000000374d1498 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773af7a0 8 bytes JMP 00000000374d13d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773b28e4 12 bytes JMP 00000000374d0fb8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!mouse_event 00000000773b38a4 7 bytes JMP 00000000374d0658 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773b8a10 8 bytes JMP 00000000374d1198 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773b8bd8 12 bytes JMP 00000000374d0e38 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773b8c20 12 bytes JMP 00000000374d0958 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendInput 00000000773b8cd0 8 bytes JMP 00000000374d1138 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!BlockInput 00000000773bad50 8 bytes JMP 00000000374d1438 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!ClipCursor 00000000773bada0 8 bytes JMP 00000000374d16d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000773e1574 5 bytes JMP 00000000374d1678 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!IsDialogMessage 00000000773e32f8 7 bytes JMP 00000000374d0898 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SetSystemCursor 00000000774045f0 5 bytes JMP 00000000374d1798 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!keybd_event 0000000077404650 7 bytes JMP 00000000374d05f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007740cccc 5 bytes JMP 00000000374d1078 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007740dfbc 7 bytes JMP 00000000374d0ef8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\SHELL32.dll!ShellExecuteW 000007fefd9f9814 6 bytes {JMP QWORD [RIP+0xff77e6]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\SHELL32.dll!ShellExecuteExW 000007fefda04fa4 6 bytes {JMP QWORD [RIP+0x100c056]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefec6b610 6 bytes {JMP QWORD [RIP+0x4359ea]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefec990f0 6 bytes JMP 0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefeca03d0 6 bytes {JMP QWORD [RIP+0x450c2a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefecbf070 6 bytes {JMP QWORD [RIP+0x401f8a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefeceb2c0 6 bytes {JMP QWORD [RIP+0x445d3a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefed1ea40 6 bytes {JMP QWORD [RIP+0x3f25ba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefed7ee40 6 bytes JMP 29292929 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefed7fb60 6 bytes JMP 0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefeda8630 6 bytes JMP 20000 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefedab100 6 bytes {JMP QWORD [RIP+0x205efa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe774ae0 6 bytes {JMP QWORD [RIP+0x7ec51a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd89eb51 5 bytes {JMP QWORD [RIP+0x13024aa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd89f720 6 bytes {JMP QWORD [RIP+0x11918da]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd91fba1 5 bytes {JMP QWORD [RIP+0x12a145a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\urlmon.dll!URLDownloadToFileA + 1 000007fefd91fd21 5 bytes {JMP QWORD [RIP+0x12612da]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd91fe70 6 bytes {JMP QWORD [RIP+0x161118a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd91ff50 6 bytes {JMP QWORD [RIP+0x13110aa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd920271 5 bytes {JMP QWORD [RIP+0x12f0d8a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd920340 6 bytes {JMP QWORD [RIP+0x12d0cba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\CRYPT32.dll!CertVerifyCertificateChainPolicy 000007fefd2365d0 7 bytes JMP 000007fefd1c00d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\Dnsapi.dll!DnsGetProxyInformation + 110 000007fefc705f7a 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3140] C:\Windows\system32\Dnsapi.dll!DnsGetProxyInformation + 138 000007fefc705f96 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!wcscspn + 182 0000000077497e3e 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlInitEnumerationHashTable + 137 0000000077498359 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b5be0 5 bytes JMP 000000006fff00d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774dbcb0 6 bytes {JMP QWORD [RIP+0x8c8534a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d2038 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1c18 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1eb8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1df8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1f18 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1918 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1d98 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d1a98 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774dc030 6 bytes {JMP QWORD [RIP+0x8ca4fca]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1af8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1e58 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d20f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d1858 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d17f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d1c78 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d1978 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d18b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1a38 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d19d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1f78 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d2098 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1cd8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1fd8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1d38 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d1b58 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1bb8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077272b60 13 bytes JMP 00000000374d0418 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!CopyFileW 0000000077278930 6 bytes {JMP QWORD [RIP+0x8e686ca]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077281860 3 bytes JMP 00000000374d0298 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077281864 1 byte [C0] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007728dbf0 5 bytes JMP 000000008001000e .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000772905e0 6 bytes {JMP QWORD [RIP+0x8dd0a1a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 00000000772c1040 6 bytes {JMP QWORD [RIP+0x8e7ffba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772ff6d0 8 bytes JMP 00000000374d0598 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772ff700 5 bytes JMP 00000000374d04d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!MoveFileW 00000000772ff7d0 10 bytes JMP 000000008009000e .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772ff8d0 8 bytes JMP 00000000374d0538 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000772ff900 10 bytes JMP 00000000374d03b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!MoveFileA 00000000772ff930 10 bytes JMP 00000000800b000e .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!CopyFileA 0000000077305680 6 bytes {JMP QWORD [RIP+0x8dfb97a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077305720 5 bytes JMP 00000000374d0478 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 000000007730a2e0 6 bytes {JMP QWORD [RIP+0x8d36d1a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007730afb0 6 bytes {JMP QWORD [RIP+0x8d7604a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\kernel32.dll!WinExec 000000007730b4f0 6 bytes {JMP QWORD [RIP+0x8e15b0a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd481900 6 bytes {JMP QWORD [RIP+0xdf6fa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd48b2d1 5 bytes {JMP QWORD [RIP+0x1ae5d2a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!GetLocaleInfoW + 472 000007fefd48ee18 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4913b0 6 bytes {JMP QWORD [RIP+0xefc4a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4913e0 6 bytes JMP 27 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4b3870 6 bytes {JMP QWORD [RIP+0x23d78a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4b38a0 6 bytes JMP 0 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefec6b610 6 bytes {JMP QWORD [RIP+0x4359ea]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefec990f0 6 bytes {JMP QWORD [RIP+0x2f7f0a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefeca03d0 6 bytes {JMP QWORD [RIP+0x450c2a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefecbf070 6 bytes {JMP QWORD [RIP+0x401f8a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefeceb2c0 6 bytes {JMP QWORD [RIP+0x445d3a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefed1ea40 6 bytes {JMP QWORD [RIP+0x3f25ba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefed7ee40 6 bytes {JMP QWORD [RIP+0x3021ba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefed7fb60 6 bytes JMP f07c .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefeda8630 6 bytes JMP 664a7a .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefedab100 6 bytes {JMP QWORD [RIP+0x205efa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe774ae0 6 bytes {JMP QWORD [RIP+0x7ec51a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd89eb51 5 bytes {JMP QWORD [RIP+0x13024aa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd89f720 6 bytes {JMP QWORD [RIP+0x11918da]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd91fba1 5 bytes {JMP QWORD [RIP+0x12a145a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\urlmon.dll!URLDownloadToFileA + 1 000007fefd91fd21 5 bytes {JMP QWORD [RIP+0x12612da]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd91fe70 6 bytes {JMP QWORD [RIP+0x161118a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd91ff50 6 bytes {JMP QWORD [RIP+0x13110aa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd920271 5 bytes {JMP QWORD [RIP+0x12f0d8a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd920340 6 bytes {JMP QWORD [RIP+0x12d0cba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[208] C:\Windows\system32\CRYPT32.dll!CertVerifyCertificateChainPolicy 000007fefd2365d0 7 bytes JMP 000007fefd1c00d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 592 000000007749cf90 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlDoesFileExists_U + 175 00000000774a19af 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!DbgPrint + 115 00000000774a4dc3 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b5be0 5 bytes JMP 000000006fff00d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774dbc00 7 bytes [48, B8, 34, 93, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000774dbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774dbcb0 6 bytes JMP 7feef48 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d2038 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000774dbd70 7 bytes [48, B8, 8C, 92, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000774dbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774dbd90 7 bytes [48, B8, 08, 92, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000774dbd98 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000774dbda0 7 bytes [48, B8, 08, 93, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000774dbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1c18 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000774dbe20 7 bytes [48, B8, B0, 92, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000774dbe28 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000774dbe30 7 bytes [48, B8, 44, 92, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000774dbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 14 bytes JMP 00000000374d1eb8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1df8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000774dbf00 7 bytes [48, B8, E0, 92, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000774dbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1f18 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1918 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1d98 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d1a98 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774dc030 6 bytes JMP 892 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1af8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 14 bytes JMP 00000000374d1e58 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d20f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d1858 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d17f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d1c78 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d1978 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d18b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1a38 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d19d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1f78 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d2098 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1cd8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1fd8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000774dcaf0 7 bytes [48, B8, 2C, 92, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000774dcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774dcb40 7 bytes [48, B8, 68, 92, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000774dcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000774dcc90 7 bytes [48, B8, F4, 92, 5A, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000774dcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1d38 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d1b58 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1bb8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd481900 6 bytes {JMP QWORD [RIP+0xdf6fa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd48b2d1 5 bytes {JMP QWORD [RIP+0x1ae5d2a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!GetLocaleInfoW + 472 000007fefd48ee18 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4913b0 6 bytes {JMP QWORD [RIP+0xefc4a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4913e0 6 bytes JMP 7feed10 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4b3870 6 bytes {JMP QWORD [RIP+0x23d78a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4b38a0 6 bytes JMP 0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Program Files\Mozilla Firefox\ucrtbase.DLL!_fclose_nolock + 465 000007fef0fc67e1 1 byte [1F] .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefec6b610 6 bytes {JMP QWORD [RIP+0x4359ea]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefec990f0 6 bytes {JMP QWORD [RIP+0x2f7f0a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefeca03d0 6 bytes JMP 0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefecbf070 6 bytes {JMP QWORD [RIP+0x401f8a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefeceb2c0 6 bytes JMP 0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefed1ea40 6 bytes JMP 3f .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefed7ee40 6 bytes {JMP QWORD [RIP+0x3021ba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefed7fb60 6 bytes JMP 2d .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefeda8630 6 bytes JMP 0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefedab100 6 bytes {JMP QWORD [RIP+0x205efa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe774ae0 6 bytes {JMP QWORD [RIP+0x7ec51a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd89eb51 5 bytes {JMP QWORD [RIP+0x13024aa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd89f720 6 bytes {JMP QWORD [RIP+0x11918da]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd91fba1 5 bytes {JMP QWORD [RIP+0x12a145a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\urlmon.dll!URLDownloadToFileA + 1 000007fefd91fd21 5 bytes {JMP QWORD [RIP+0x12612da]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd91fe70 6 bytes {JMP QWORD [RIP+0x161118a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd91ff50 6 bytes {JMP QWORD [RIP+0x13110aa]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd920271 5 bytes {JMP QWORD [RIP+0x12f0d8a]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd920340 6 bytes {JMP QWORD [RIP+0x12d0cba]} .text C:\Program Files\Mozilla Firefox\firefox.exe[3456] C:\Windows\system32\CRYPT32.dll!CertVerifyCertificateChainPolicy 000007fefd2365d0 7 bytes JMP 000007fefd1c00d8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\taskeng.exe[4580] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 215 00000000774b4e9b 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!_wcsicmp + 311 00000000774b4efb 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlCleanUpTEBLangLists + 732 00000000774d1cbc 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\AUDIODG.EXE[700] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 290 00000000774a41d2 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 514 00000000774a5462 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseIoCompletion + 768 00000000774a5560 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 534 00000000774a9b46 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!TpIsTimerSet + 751 00000000774a9c1f 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 212 00000000774aa6d4 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!TpSetTimer + 957 00000000774aa9bd 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 416 00000000774af8c0 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlRealSuccessor + 548 00000000774af944 1 byte [1F] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b2170 5 bytes JMP 00000000374d01d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 00000000774b5924 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 00000000774b6491 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlMultiAppendUnicodeStringBuffer + 303 00000000774c001f 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 101 00000000774c0c05 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 350 00000000774c0cfe 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings + 387 00000000774c0fd3 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 90 00000000774c4d2a 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 107 00000000774d315b 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!LdrFindResource_U + 316 00000000774d322c 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlSetUserValueHeap + 87 00000000774d5417 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 00000000774daed6 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 26 00000000774daf52 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 154 00000000774dafd2 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 00000000774db031 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774dbc20 8 bytes JMP 00000000374d0178 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774dbcf0 8 bytes JMP 00000000374d1d98 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774dbdf0 8 bytes JMP 00000000374d1978 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774dbe60 8 bytes JMP 00000000374d1c18 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774dbea0 8 bytes JMP 00000000374d1b58 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774dbf40 8 bytes JMP 00000000374d1c78 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774dbfb0 8 bytes JMP 00000000374d1678 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774dbfd0 8 bytes JMP 00000000374d1af8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774dc010 8 bytes JMP 00000000374d17f8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774dc060 8 bytes JMP 00000000374d1858 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774dc080 8 bytes JMP 00000000374d1bb8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774dc270 8 bytes JMP 00000000374d1e58 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774dc280 8 bytes JMP 00000000374d15b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774dc380 8 bytes JMP 00000000374d1558 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774dc450 8 bytes JMP 00000000374d19d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774dc490 8 bytes JMP 00000000374d16d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774dc500 8 bytes JMP 00000000374d1618 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774dc530 8 bytes JMP 00000000374d1798 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774dc590 8 bytes JMP 00000000374d1738 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774dc5a0 8 bytes JMP 00000000374d1cd8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774dc5b0 8 bytes JMP 00000000374d1df8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774dc920 8 bytes JMP 00000000374d1a38 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774dc9b0 8 bytes JMP 00000000374d1d38 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774dd220 8 bytes JMP 00000000374d1a98 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774dd2a0 8 bytes JMP 00000000374d18b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774dd320 8 bytes JMP 00000000374d1918 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 232 00000000774deeb8 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlAnsiStringToUnicodeString + 287 00000000774deeef 1 byte [1F] .text ... * 3 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlInitUnicodeStringEx + 213 00000000774df5d5 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 61 00000000774ea12d 1 byte [1F] .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd493a50 7 bytes JMP 000007febceb0238 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefd4bff00 5 bytes JMP 000007febceb0298 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5a22e0 5 bytes JMP 000007febceb0538 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5a2390 5 bytes JMP 000007febceb0598 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff5a3e30 5 bytes JMP 000007febceb04d8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5a7574 5 bytes JMP 000007febceb05f8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5a81e4 9 bytes JMP 000007febceb03b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5a8814 9 bytes JMP 000007febceb0358 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5a8d6c 5 bytes JMP 000007febceb0418 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5abaa4 5 bytes JMP 000007febceb06b8 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5ac7a0 5 bytes JMP 000007febceb0658 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff5b52f0 5 bytes JMP 000007febceb0478 .text C:\Windows\system32\wbem\wmiprvse.exe[4272] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe7e6d10 11 bytes JMP 000007febceb02f8 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9f0 5 bytes JMP 0000000073a02e50 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007768fb38 5 bytes JMP 00000000739f83f0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fcc0 5 bytes JMP 00000000739f7990 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd74 5 bytes JMP 00000000739f90a0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fdd8 5 bytes JMP 00000000739f8790 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fed0 5 bytes JMP 00000000739fabb0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007768ff84 5 bytes JMP 00000000739f6c00 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ffb4 5 bytes JMP 00000000739f89a0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077690014 5 bytes JMP 00000000739f7550 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690094 5 bytes JMP 00000000739f77a0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776900c4 5 bytes JMP 00000000739f8d50 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776903c8 5 bytes JMP 00000000739fa0a0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776903e0 5 bytes JMP 00000000739fb970 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690560 5 bytes JMP 00000000739fb690 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776906a4 5 bytes JMP 00000000739f7b80 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077690704 5 bytes JMP 00000000739fba80 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776907ac 5 bytes JMP 00000000739f6af0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776907f4 5 bytes JMP 00000000739fbb90 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077690884 5 bytes JMP 00000000739f6d10 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769089c 5 bytes JMP 00000000739fae80 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776908b4 5 bytes JMP 00000000739fa5d0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690e04 5 bytes JMP 00000000739f7df0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690ee8 5 bytes JMP 00000000739f8200 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bf4 5 bytes JMP 00000000739f7ff0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691cc4 5 bytes JMP 00000000739faa60 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d9c 5 bytes JMP 00000000739f85e0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776ac0f0 7 bytes JMP 0000000073a02cd0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b73be3 5 bytes JMP 00000000739f5520 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b79ae4 5 bytes JMP 00000000739eefe0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b83baa 7 bytes JMP 00000000739efba0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b8cd11 5 bytes JMP 00000000739eecd0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076bddda6 7 bytes JMP 00000000739ef210 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076bdde49 7 bytes JMP 00000000739ef520 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076f9f8a7 5 bytes JMP 0000000073a02cb0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076f9fcda 5 bytes JMP 00000000739f6400 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076fa2e0b 4 bytes CALL 6d260000 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000768f8342 5 bytes JMP 0000000073a03de0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000768f8c0f 5 bytes JMP 0000000073a04750 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768f90e3 7 bytes JMP 0000000073a03800 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000768f9689 5 bytes JMP 0000000073a04c40 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768f97e2 5 bytes JMP 0000000073a051a0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768fee19 5 bytes JMP 0000000073a039d0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000768fefd9 5 bytes JMP 0000000073a078d0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769012b5 5 bytes JMP 0000000073a04260 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007690292f 5 bytes JMP 0000000073a06860 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SetParent 0000000076902d74 5 bytes JMP 0000000073a07130 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076902db4 5 bytes JMP 0000000073a07af0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000769036a8 5 bytes JMP 0000000073a06f10 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076903bba 5 bytes JMP 0000000073a03fc0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076903c71 5 bytes JMP 0000000073a04500 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076906120 5 bytes JMP 0000000073a03c00 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007690613e 5 bytes JMP 0000000073a049a0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076906c40 7 bytes JMP 0000000073a03620 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076907613 5 bytes JMP 0000000073a03300 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076907678 5 bytes JMP 0000000073a05c30 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769076f0 5 bytes JMP 0000000073a05700 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007690782f 5 bytes JMP 0000000073a04ee0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007690836c 5 bytes JMP 0000000073a03040 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007690c4c6 5 bytes JMP 0000000073a07320 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076911363 5 bytes JMP 0000000073a07f00 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007691c122 5 bytes JMP 0000000073a05ec0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007691d109 5 bytes JMP 0000000073a06110 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007691ebb6 5 bytes JMP 0000000073a06ad0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007691ec88 5 bytes JMP 0000000073a065c0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendInput 000000007691ff6a 5 bytes JMP 0000000073a06360 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SwitchDesktop 00000000769398ec 5 bytes JMP 0000000073a08160 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076939fdb 5 bytes JMP 0000000073a076c0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007694156b 5 bytes JMP 0000000073a07d20 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SetSystemCursor 00000000769502cd 5 bytes JMP 0000000073a08300 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076950343 5 bytes JMP 00000000739f0af0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076950387 5 bytes JMP 00000000739f0920 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076956dc4 5 bytes JMP 0000000073a05460 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076956e25 5 bytes JMP 0000000073a059a0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076957e9f 5 bytes JMP 0000000073a074f0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769589b3 5 bytes JMP 0000000073a06d30 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750158b3 5 bytes JMP 00000000739f16e0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075015ea5 5 bytes JMP 00000000739f0d00 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075017bcc 5 bytes JMP 00000000739f0650 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007501ae82 5 bytes JMP 00000000739f1c70 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007501b98a 5 bytes JMP 00000000739f17b0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007501bd7d 5 bytes JMP 00000000739f1460 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007501c08c 5 bytes JMP 00000000739f19f0 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007501cf11 5 bytes JMP 00000000739f0f70 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007501e935 5 bytes JMP 00000000739f0800 .text C:\Users\Krzysztof\Downloads\x044jm19.exe[4592] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075044aaa 5 bytes JMP 00000000739f11f0 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b5e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b5c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b6654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b6a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b68ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-3 fffffa8002a942c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8002a942c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8002a942c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 fffffa8002a942c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8002a942c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8002a942c0 Device \FileSystem\Ntfs \Ntfs fffffa8002a982c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa8003f632c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8003f632c0 Device \Driver\cdrom \Device\CdRom0 fffffa8003b792c0 Device \Driver\cdrom \Device\CdRom1 fffffa8003b792c0 Device \Driver\cdrom \Device\CdRom2 fffffa8003b792c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa8003f8d2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8003f632c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8003f632c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa8003f632c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8003f632c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{05912885-6891-43D3-B03E-0C3556A88A30} fffffa8003cd72c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8003cd72c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa8003f8d2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8002a942c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8003f632c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8003f632c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8002a942c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8002a942c0]<< sptd.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8002a942c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80039fe060] fffffa80039fe060 Trace 3 CLASSPNP.SYS[fffff8800143b43f] -> nt!IofCallDriver -> [0xfffffa80038a8520] fffffa80038a8520 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-3[0xfffffa80038c9060] fffffa80038c9060 Trace \Driver\atapi[0xfffffa8003895060] -> IRP_MJ_CREATE -> 0xfffffa8002a942c0 fffffa8002a942c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [928:1176] 000007fefa21341c Thread C:\Windows\system32\svchost.exe [928:1192] 000007fefa213a2c Thread C:\Windows\system32\svchost.exe [928:1196] 000007fefa213768 Thread C:\Windows\system32\svchost.exe [928:1200] 000007fefa215c20 Thread C:\Windows\system32\svchost.exe [928:1284] 000007fef846bd70 Thread C:\Windows\system32\svchost.exe [928:3164] 000007fefa213900 Thread C:\Windows\system32\svchost.exe [928:3228] 000007fef86c5170 Thread C:\Windows\system32\svchost.exe [928:3448] 000007fef8215124 Thread C:\Windows\System32\spoolsv.exe [1268:1156] 000007fef7f310c8 Thread C:\Windows\System32\spoolsv.exe [1268:1684] 000007fef7ef6144 Thread C:\Windows\System32\spoolsv.exe [1268:404] 000007fef90e5fd0 Thread C:\Windows\System32\spoolsv.exe [1268:1712] 000007fef7ea3438 Thread C:\Windows\System32\spoolsv.exe [1268:2036] 000007fef90e63ec Thread C:\Windows\System32\spoolsv.exe [1268:2060] 000007fef8295e5c Thread C:\Windows\System32\spoolsv.exe [1268:2076] 000007fef82c5060 Thread C:\Windows\system32\svchost.exe [1368:1668] 000007fef94235c0 Thread C:\Windows\system32\svchost.exe [1368:2080] 000007fef9425600 Thread C:\Windows\system32\svchost.exe [1368:1548] 000007fef5ed2888 Thread C:\Windows\system32\svchost.exe [1368:2596] 000007fef5ea2940 Thread C:\Windows\system32\svchost.exe [1368:4264] 000007fef5ed2a40 Thread C:\Windows\System32\svchost.exe [1576:1724] 000007fef95a0360 Thread C:\Windows\System32\svchost.exe [1576:1728] 000007fef957e460 Thread C:\Windows\System32\svchost.exe [1576:1732] 000007fef957e450 Thread C:\Windows\System32\svchost.exe [1576:1736] 000007fef9545570 Thread C:\Windows\System32\svchost.exe [1576:1740] 000007fef957a130 Thread C:\Windows\System32\svchost.exe [1576:1744] 000007fef9545560 Thread C:\Windows\System32\svchost.exe [1576:1756] 000007fef95c82a0 Thread C:\Windows\system32\svchost.exe [1660:3436] 000007fef5cc8470 Thread C:\Windows\system32\svchost.exe [1660:3440] 000007fef5cd2418 Thread C:\Windows\system32\svchost.exe [1116:2052] 000007fef7c97130 Thread C:\Windows\system32\svchost.exe [1116:2056] 000007fef7c8d5c0 Thread C:\Windows\system32\svchost.exe [1116:2344] 000007fef90e5fd0 Thread C:\Windows\system32\svchost.exe [1116:2368] 000007fef7ea3438 Thread C:\Windows\system32\svchost.exe [1116:2380] 000007fef90e63ec Thread C:\Windows\system32\svchost.exe [1116:3032] 00000000022dabd0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3176:3476] 000007fefb292b1c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3176:4052] 000007fef8215124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3176:4668] 000007fef8219874 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3176:1988] 000007fef8219874 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0x02 0x76 0xC1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0x02 0x76 0xC1 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EBEBFDD1-C7B5-DC05-B20A-96F3ABD1BE03} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EBEBFDD1-C7B5-DC05-B20A-96F3ABD1BE03}@haoajmcehoanodca 0x6A 0x61 0x62 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EBEBFDD1-C7B5-DC05-B20A-96F3ABD1BE03}@iaiknahgkdapjlfgnj 0x67 0x61 0x64 0x6E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EBEBFDD1-C7B5-DC05-B20A-96F3ABD1BE03}@iaiapoelejogbgebpi 0x6A 0x61 0x62 0x62 ... ---- EOF - GMER 2.2 ----