GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-30 22:01:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1 PLEXTOR_ rev.1.03 238,47GB Running: qem9u9x2.exe; Driver: C:\Users\Sasha\AppData\Local\Temp\afliikod.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007709d460 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007709d660 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007709d460 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007709d660 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\services.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff193d60 5 bytes JMP 000007febca70358 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000076e35350 7 bytes JMP 0000000037091498 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076e36ef0 8 bytes JMP 0000000037091018 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076e38184 7 bytes JMP 00000000370912b8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetParent 0000000076e38530 8 bytes JMP 0000000037091078 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076e39bcc 6 bytes JMP 00000000370907d8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!PostMessageA 0000000076e3a404 5 bytes JMP 0000000037090958 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!EnableWindow 0000000076e3aaa0 9 bytes JMP 0000000037091378 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!MoveWindow 0000000076e3aad0 8 bytes JMP 00000000370910d8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 0000000076e3b500 6 bytes JMP 0000000037090898 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076e3c720 5 bytes JMP 0000000037090fb8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076e3cd50 8 bytes JMP 0000000037091258 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076e3d2b0 5 bytes JMP 0000000037090a18 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendMessageA 0000000076e3d338 5 bytes JMP 0000000037090ad8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076e3dc40 9 bytes JMP 0000000037090d78 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076e3f510 7 bytes JMP 0000000037091318 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076e3f874 9 bytes JMP 0000000037090718 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076e3fac0 9 bytes JMP 0000000037090bf8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076e40b74 10 bytes JMP 0000000037090a78 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076e433b0 8 bytes JMP 0000000037090838 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076e44d4c 5 bytes JMP 0000000037090778 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!GetKeyState 0000000076e45010 3 bytes JMP 0000000037090f58 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!GetKeyState + 4 0000000076e45014 1 byte [C0] .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076e45438 7 bytes JMP 0000000037090cb8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendMessageW 0000000076e46b50 3 bytes JMP 0000000037090b38 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendMessageW + 4 0000000076e46b54 1 byte [C0] .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 0000000076e476c0 1 byte JMP 00000000370908f8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 2 0000000076e476c2 6 bytes {JMP 0xffffffffc0249238} .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!PostMessageW 0000000076e476e4 7 bytes JMP 00000000370909b8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076e4dd90 3 bytes JMP 0000000037090e38 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendDlgItemMessageW + 4 0000000076e4dd94 1 byte [C0] .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076e4e874 3 bytes JMP 00000000370911f8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!GetClipboardData + 4 0000000076e4e878 1 byte [C0] .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076e4f780 8 bytes JMP 0000000037091138 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076e528e4 12 bytes JMP 0000000037090d18 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!mouse_event 0000000076e53894 7 bytes JMP 0000000037090658 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076e58a10 8 bytes JMP 0000000037090ef8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076e58be0 12 bytes JMP 0000000037090b98 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076e58c20 12 bytes JMP 00000000370906b8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendInput 0000000076e58cd0 8 bytes JMP 0000000037090e98 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!BlockInput 0000000076e5ad60 8 bytes JMP 0000000037091198 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!ClipCursor 0000000076e5adb0 8 bytes JMP 0000000037091438 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076e814e0 5 bytes JMP 00000000370913d8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SetSystemCursor 0000000076ea454c 5 bytes JMP 00000000370914f8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!keybd_event 0000000076ea45a4 7 bytes JMP 00000000370905f8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076eacc08 5 bytes JMP 0000000037090dd8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076eadf18 7 bytes JMP 0000000037090c58 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70598 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca70538 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca70658 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca70418 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70478 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca70718 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\services.exe[792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\lsass.exe[812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\lsm.exe[820] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff193d60 5 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca70718 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\nvvsvc.exe[288] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff193d60 5 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca70718 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007709d530 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 000000006fff0110 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff193d60 5 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca70718 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1476] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\nvvsvc.exe[1488] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\System32\spoolsv.exe[1852] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff193d60 5 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca70718 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[1896] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2016] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000076e35350 7 bytes JMP 0000000037091498 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076e36ef0 8 bytes JMP 0000000037091018 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076e38184 7 bytes JMP 00000000370912b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetParent 0000000076e38530 8 bytes JMP 0000000037091078 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076e39bcc 6 bytes JMP 00000000370907d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!PostMessageA 0000000076e3a404 5 bytes JMP 0000000037090958 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!EnableWindow 0000000076e3aaa0 9 bytes JMP 0000000037091378 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!MoveWindow 0000000076e3aad0 8 bytes JMP 00000000370910d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 0000000076e3b500 6 bytes JMP 0000000037090898 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076e3c720 5 bytes JMP 0000000037090fb8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076e3cd50 8 bytes JMP 0000000037091258 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076e3d2b0 5 bytes JMP 0000000037090a18 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendMessageA 0000000076e3d338 5 bytes JMP 0000000037090ad8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076e3dc40 9 bytes JMP 0000000037090d78 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076e3f510 7 bytes JMP 0000000037091318 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076e3f874 9 bytes JMP 0000000037090718 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076e3fac0 9 bytes JMP 0000000037090bf8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076e40b74 10 bytes JMP 0000000037090a78 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076e433b0 8 bytes JMP 0000000037090838 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076e44d4c 5 bytes JMP 0000000037090778 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!GetKeyState 0000000076e45010 3 bytes JMP 0000000037090f58 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!GetKeyState + 4 0000000076e45014 1 byte [C0] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076e45438 7 bytes JMP 0000000037090cb8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendMessageW 0000000076e46b50 3 bytes JMP 0000000037090b38 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendMessageW + 4 0000000076e46b54 1 byte [C0] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 0000000076e476c0 1 byte JMP 00000000370908f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 2 0000000076e476c2 6 bytes {JMP 0xffffffffc0249238} .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!PostMessageW 0000000076e476e4 7 bytes JMP 00000000370909b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076e4dd90 3 bytes JMP 0000000037090e38 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendDlgItemMessageW + 4 0000000076e4dd94 1 byte [C0] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076e4e874 3 bytes JMP 00000000370911f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!GetClipboardData + 4 0000000076e4e878 1 byte [C0] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076e4f780 8 bytes JMP 0000000037091138 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076e528e4 12 bytes JMP 0000000037090d18 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!mouse_event 0000000076e53894 7 bytes JMP 0000000037090658 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076e58a10 8 bytes JMP 0000000037090ef8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076e58be0 12 bytes JMP 0000000037090b98 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076e58c20 12 bytes JMP 00000000370906b8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendInput 0000000076e58cd0 8 bytes JMP 0000000037090e98 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!BlockInput 0000000076e5ad60 8 bytes JMP 0000000037091198 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!ClipCursor 0000000076e5adb0 8 bytes JMP 0000000037091438 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076e814e0 5 bytes JMP 00000000370913d8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SetSystemCursor 0000000076ea454c 5 bytes JMP 00000000370914f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!keybd_event 0000000076ea45a4 7 bytes JMP 00000000370905f8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076eacc08 5 bytes JMP 0000000037090dd8 .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1112] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076eadf18 7 bytes JMP 0000000037090c58 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6d0a0000 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2424] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 71910000 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2660] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[2984] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 1 0000000076f49041 7 bytes [31, C0, C3, 90, 90, 90, 90] .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[3208] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\wbem\wmiprvse.exe[3232] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[3700] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\Dwm.exe[3720] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\taskeng.exe[4640] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes CALL 211b00 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\taskhost.exe[4760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\SHELL32.dll!ILClone 000007fefe05a7e0 5 bytes JMP 000007fefedf0298 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\SHELL32.dll!SHGetPropertyStoreForWindow 000007fefe0615ac 6 bytes {JMP QWORD [RIP-0x48f]} .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 000007fefe09834c 6 bytes {JMP QWORD [RIP-0x2bf]} .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\Explorer.EXE[3388] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!DrawShadowText + 360 000007fefb263744 5 bytes JMP 000007fefb740298 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\System32\igfxtray.exe[4400] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\System32\hkcmd.exe[4468] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\System32\igfxpers.exe[4964] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4956] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6d750000 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076018791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6d660000 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5148] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[5292] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\shell32.dll!SHGetPropertyStoreForWindow 000007fefe0615ac 6 bytes {JMP QWORD [RIP-0x48f]} .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins.exe[5532] C:\Windows\system32\shell32.dll!SetCurrentProcessExplicitAppUserModelID 000007fefe09834c 6 bytes {JMP QWORD [RIP-0x2bf]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[5708] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 70600000 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Users\Sasha\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\CCleaner\CCleaner64.exe[5856] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[6112] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6f0f0000 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 70420000 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[5548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 70970000 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 71a70000 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\WizMouse\wizmouse.exe[5240] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 70990000 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\shell32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\shell32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6e310000 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\wbem\unsecapp.exe[6200] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6e0b0000 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Windows\SysWOW64\RunDll32.exe[6616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\svchost.exe[7180] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 70040000 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[8056] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[8508] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007709d530 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 00000000000201b0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000000020238 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 00000000000202c0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[8700] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\SearchIndexer.exe[8260] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 71240000 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[8708] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 715e0000 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[9360] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6f100000 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files\1UPIndustries\Bins\v1.1.0.784\Bins32on64.exe[9292] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\srspremiumpanel_64.exe[10152] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[9968] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6f330000 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[6196] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[6560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\igfxext.exe[880] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\igfxsrvc.exe[7372] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Glary Utilities 5\Integrator.exe[10128] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077074c80 5 bytes JMP 00000000000205f0 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007709d540 5 bytes JMP 0000000000020678 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709d630 5 bytes JMP 00000000000200a0 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709d750 5 bytes JMP 0000000000020018 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007709d7b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 5 bytes JMP 0000000037091678 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007709d8d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 5 bytes JMP 0000000037091618 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 5 bytes JMP 0000000037091738 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007709de80 5 bytes JMP 0000000000020348 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007709e340 5 bytes JMP 0000000000020458 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007709e390 5 bytes JMP 00000000000204e0 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770f4240 5 bytes JMP 0000000000020568 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076f32b60 13 bytes JMP 0000000037090418 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f41890 5 bytes JMP 0000000037090298 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 5 bytes JMP 0000000037090238 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fbf540 8 bytes JMP 0000000037090598 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fbf570 5 bytes JMP 00000000370904d8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076fbf640 10 bytes JMP 0000000037090358 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fbf740 8 bytes JMP 0000000037090538 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076fbf770 10 bytes JMP 00000000370903b8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076fbf7a0 10 bytes JMP 00000000370902f8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fc5510 5 bytes JMP 0000000037090478 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe[8912] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 709b0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3256] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6e820000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[7132] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6e9d0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4924] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1732] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077072dc0 5 bytes JMP 00000000370901d8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007709d4a0 8 bytes JMP 0000000037090178 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007709d570 8 bytes JMP 0000000037091d98 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007709d670 8 bytes JMP 0000000037091978 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007709d6e0 8 bytes JMP 0000000037091c18 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007709d720 8 bytes JMP 0000000037091b58 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007709d7c0 8 bytes JMP 0000000037091c78 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007709d830 8 bytes JMP 0000000037091678 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007709d850 8 bytes JMP 0000000037091af8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007709d890 8 bytes JMP 00000000370917f8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007709d8e0 8 bytes JMP 0000000037091858 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007709d900 8 bytes JMP 0000000037091bb8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007709daf0 8 bytes JMP 0000000037091e58 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007709db00 8 bytes JMP 00000000370915b8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007709dc00 8 bytes JMP 0000000037091558 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007709dcd0 8 bytes JMP 00000000370919d8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007709dd10 8 bytes JMP 00000000370916d8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007709dd80 8 bytes JMP 0000000037091618 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007709ddb0 8 bytes JMP 0000000037091798 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007709de10 8 bytes JMP 0000000037091738 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007709de20 8 bytes JMP 0000000037091cd8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007709de30 8 bytes JMP 0000000037091df8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007709e1a0 8 bytes JMP 0000000037091a38 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007709e230 8 bytes JMP 0000000037091d38 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007709eaa0 8 bytes JMP 0000000037091a98 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007709eb20 8 bytes JMP 00000000370918b8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007709eba0 8 bytes JMP 0000000037091918 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefce292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce336f0 7 bytes JMP 000007febca70238 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60860 5 bytes JMP 000007febca70298 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefd1c22cc 5 bytes JMP 000007febca70538 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!BitBlt 000007fefd1c24c0 5 bytes JMP 000007febca70598 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!GdiAlphaBlend 000007fefd1c3df4 5 bytes JMP 000007febca704d8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefd1c5be0 5 bytes JMP 000007febca705f8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefd1c8398 9 bytes JMP 000007febca703b8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefd1c89c8 9 bytes JMP 000007febca70358 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!GetPixel 000007fefd1c9344 5 bytes JMP 000007febca70418 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefd1cb9e8 5 bytes JMP 000007febca706b8 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!GdiTransparentBlt 000007fefd1d4f1c 5 bytes JMP 000007febca70478 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefd1d5410 5 bytes JMP 000007febca70658 .text C:\Windows\system32\AUDIODG.EXE[8984] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefd5d7490 11 bytes JMP 000007febca702f8 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076018791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 71720000 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[8160] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 6f780000 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Windows\SysWOW64\ctfmon.exe[12980] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076799d0b 5 bytes JMP 000000007292c380 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724fa80 5 bytes JMP 0000000072932ef0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007724fb78 5 bytes JMP 00000000700834b0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fbc8 5 bytes JMP 00000000729284a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fcf0 5 bytes JMP 0000000070082830 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fd50 5 bytes JMP 0000000072927a50 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007724fe04 5 bytes JMP 0000000072929150 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fe68 5 bytes JMP 0000000072928840 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724feb4 5 bytes JMP 00000000700826c0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724ff48 5 bytes JMP 0000000070082c30 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724ff60 5 bytes JMP 000000007292ac60 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077250014 5 bytes JMP 0000000072926cc0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077250044 5 bytes JMP 0000000072928a50 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772500a4 5 bytes JMP 0000000072927610 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077250108 5 bytes JMP 00000000700829d0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077250124 5 bytes JMP 0000000072927860 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250154 5 bytes JMP 0000000072928e00 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077250458 5 bytes JMP 000000007292a150 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077250470 5 bytes JMP 000000007292ba20 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772505f0 5 bytes JMP 000000007292b740 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077250734 5 bytes JMP 0000000072927c40 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077250794 5 bytes JMP 000000007292bb30 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725083c 5 bytes JMP 0000000072926bb0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077250884 5 bytes JMP 000000007292bc40 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077250914 5 bytes JMP 0000000072926dd0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007725092c 5 bytes JMP 000000007292af30 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250944 5 bytes JMP 000000007292a680 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772509bc 5 bytes JMP 0000000070083290 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250e94 5 bytes JMP 0000000072927eb0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077250f78 5 bytes JMP 00000000729282b0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077251118 5 bytes JMP 0000000070082ec0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077251190 5 bytes JMP 0000000070083150 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251c84 5 bytes JMP 00000000729280a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077251d54 5 bytes JMP 000000007292ab10 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251e2c 5 bytes JMP 0000000072928690 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007726921f 5 bytes JMP 0000000070083420 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077273d8c 7 bytes JMP 0000000072932d70 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772f0e9d 5 bytes JMP 0000000070083340 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076023bbb 5 bytes JMP 00000000729255e0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076029abc 2 bytes JMP 000000007291f060 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000076029abf 2 bytes [8F, FC] .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076033b7a 7 bytes JMP 000000007291fc20 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007603cce1 5 bytes JMP 000000007291ed50 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007608dcbe 7 bytes JMP 000000007291f290 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007608dd61 7 bytes JMP 000000007291f5a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f897 5 bytes JMP 0000000072932d50 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007663fcca 5 bytes JMP 00000000729264c0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000076642e0c 4 bytes CALL 71580000 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d28332 5 bytes JMP 0000000072933e80 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d28bff 5 bytes JMP 00000000729347f0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d290d3 7 bytes JMP 00000000729338a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d29679 5 bytes JMP 0000000072934ce0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d297d2 5 bytes JMP 0000000072935240 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d2ee09 5 bytes JMP 0000000072933a70 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d2efc9 5 bytes JMP 0000000072937970 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d312a5 5 bytes JMP 0000000072934300 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d3291f 5 bytes JMP 0000000072936900 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d32d64 5 bytes JMP 00000000729371d0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d32da4 5 bytes JMP 0000000072937b90 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d33698 5 bytes JMP 0000000072936fb0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d33baa 5 bytes JMP 0000000072934060 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d33c61 5 bytes JMP 00000000729345a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d36110 5 bytes JMP 0000000072933ca0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d3612e 5 bytes JMP 0000000072934a40 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d36c30 7 bytes JMP 00000000729336c0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d37603 5 bytes JMP 00000000729333a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d37668 5 bytes JMP 0000000072935cd0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d376e0 5 bytes JMP 00000000729357a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d3781f 5 bytes JMP 0000000072934f80 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d3835c 5 bytes JMP 00000000729330e0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d3c4b6 5 bytes JMP 00000000729373c0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d41353 5 bytes JMP 0000000072937fa0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d4c112 5 bytes JMP 0000000072935f60 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d4d0f5 5 bytes JMP 00000000729361b0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d4eb96 5 bytes JMP 0000000072936b70 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d4ec68 5 bytes JMP 0000000072936660 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d4ff4a 5 bytes JMP 0000000072936400 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d69854 5 bytes JMP 0000000072938200 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d69f1d 5 bytes JMP 0000000072937760 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d71497 5 bytes JMP 0000000072937dc0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076d80205 5 bytes JMP 00000000729383a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d8027b 5 bytes JMP 0000000072920b90 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d802bf 5 bytes JMP 00000000729209c0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d86cfc 1 byte JMP 0000000072935500 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA + 2 0000000076d86cfe 3 bytes {JMP RDI} .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d86d5d 5 bytes JMP 0000000072935a40 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d87dd7 5 bytes JMP 0000000072937590 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d888eb 5 bytes JMP 0000000072936dd0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e758b3 5 bytes JMP 0000000072921780 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e75ea6 5 bytes JMP 0000000072920da0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e77bcc 5 bytes JMP 00000000729206f0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 0000000075e7b0eb 5 bytes JMP 0000000072921d10 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e7b895 5 bytes JMP 0000000072921500 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 0000000075e7bba4 5 bytes JMP 0000000072921a90 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e7c332 5 bytes JMP 0000000072921010 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e7cbfb 5 bytes JMP 0000000072921850 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e7e743 5 bytes JMP 00000000729208a0 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075ea4646 5 bytes JMP 0000000072921290 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\SHELL32.dll!SHGetPropertyStoreForWindow 000000007509fe7d 5 bytes JMP 0000000056c72bb8 .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\SHELL32.dll!SetCurrentProcessExplicitAppUserModelID 00000000750fc92c 5 bytes JMP 0000000056c7294c .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766a1465 2 bytes [6A, 76] .text C:\Users\Sasha\Downloads\qem9u9x2.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766a14bb 2 bytes [6A, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\CLASSPNP.SYS[ntoskrnl.exe!IofCallDriver] [fffff880043143e4] \SystemRoot\system32\drivers\aswSP.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE[USER32.dll!SetLayeredWindowAttributes] [7fedcea1dfc] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE[UxTheme.dll!DrawThemeTextEx] [7fedcea17d0] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE[UxTheme.dll!DrawThemeBackground] [7fedcea2086] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\SHELL32.dll[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!DrawTextExW] [7fedcd68f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\EXPLORERFRAME.dll[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\DUser.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\DUser.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\DUI70.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\DUI70.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawTextExW] [7fedcd68f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\MSCTF.dll[USER32.dll!DrawTextExW] [7fedcd68f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\MSCTF.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetLayeredWindowAttributes] [7fedcea1dfc] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\UxTheme.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\UxTheme.dll[USER32.dll!DrawTextExW] [7fedcd68f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\UxTheme.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetLayeredWindowAttributes] [7fedcea1dfc] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!DrawTextExW] [7fedcd68f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\msi.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\msi.dll[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\EhStorShell.dll[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\ATL.DLL[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\System32\shdocvw.dll[USER32.dll!DrawTextExW] [7fedcd68f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\System32\gameux.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\System32\gameux.dll[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\MsftEdit.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\authui.dll[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\authui.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\CRYPTUI.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\CRYPTUI.dll[USER32.dll!DrawTextExW] [7fedcd68f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\urlmon.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\System32\ieframe.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\System32\ieframe.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\System32\ieframe.dll[USER32.dll!SetLayeredWindowAttributes] [7fedcea1dfc] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\System32\ieframe.dll[USER32.dll!DrawTextExW] [7fedcd68f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\NetworkExplorer.dll[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\COMDLG32.dll[SHLWAPI.dll!SHStrDupW] [7fedcea227a] C:\Program Files\1UPIndustries\Bins\v1.1.0.784\TaskbarDockShellIntegration64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!FillRect] [7fedcd68ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!DrawTextW] [7fedcd68e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14965130700532294@SetupOperations ????????????????????????????????????? T?????????????r???????????? ?????????????????????,????????`?"? ???????????? ???????????????????:?,????????T??? ???????????\??\C:\Program Files\AVAST Software\Avast???? P?????????????1c???????????i?????d13??ms_vwifi?1???????????D????p3A}???????0,?et???????????C???????????????0,?3E??? ??????????????????????????????????+??????????????????????043??{8ECC055D-047F-11D1-A537-0000F8753ED1}?7-4??Virtual WiFi Filter Driver?Dev???????????c??????????sE???????????B??????????????????????????????????????????????????-1??? ????????????????????????L?????????????????p6????????????????????????3-B2??????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0?????????? ?????????? ?????????????????????0????????????????????PCI\VEN_14E4&DEV_4727&SUBSYS_7179144F&REV_01\4&31291047&0&00E0??????????? ?????????????????????0?????????? ?????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f8bf1ee Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f8bf1ee@704d7b001d61 0x36 0x37 0x29 0xF8 ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14965130700532294@SetupOperations ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????l???s??????disk???????????????????t?????????n??????????????????????????s???????????????? ???????C?????e-A???????????????????????????????????????????????????.?????n?.???????????????.????n??.??????????????????????????????????????????????????????????????????????????????9-7-2010?????????????????????????????????????????????????.??????????????C:\Program Files (x86)\Glary Utilities 5\AutoUpdate.exe??????????????c??Fi???????????????????????????????????????????????????????????m???l??? ???????F?????Fla???????????????s???????????????????????????????.??????????*.au3???????????????????s??????????????????n??????????????????????????????????????(???????????????p??????.?gd????????????????????????????????s??????????????t????????????????????????????.???o???????????????????????????????E???????????????/??????????????????????????????? ??????????????? ???????????????????????????????.? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4749f8bf1ee (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4749f8bf1ee@704d7b001d61 0x36 0x37 0x29 0xF8 ... ---- Files - GMER 2.2 ---- File C:\Users\Sasha\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Bins\Media Player Classic 0 bytes ---- EOF - GMER 2.2 ----